BlackBerry Forums Support Community
              

Closed Thread
 
Thread Tools
Old 06-12-2013, 12:54 PM   #1
ZombieBerry
BlackBerry Extraordinaire
 
ZombieBerry's Avatar
 
Join Date: Sep 2010
Location: Toronto
Model: Priv
OS: 5.1.1
PIN: 2AB9C463
Carrier: WIND
Posts: 2,364
Default BlackBerry warns of possible exploit with Z10 and PlayBook

Please Login to Remove!

https://threatpost.com/blackberry-is...ty-advisories/


"BlackBerry's security incident response team has issued two advisories warning Z10 smartphone and PlayBook tablet users to upgrade to the latest version of the operating system and software on both platforms. The patches address a remote code-execution vulnerability in the Adobe Flash Player integrated into the BlackBerry products, as well as a privilege escalation flaw in the BlackBerry OS.

Users and enterprise administrators are urged to upgrade their devices to BlackBerry 10 OS version 10.0.10.648 or later, and version 2.1.0.1526 of the PlayBook software.

The privilege escalation bug affects only Z10 smartphones and is not being exploited. BlackBerry said the severity limited by the amount of user interaction and physical access on the attacker's part required to successfully exploit the vulnerability.

Successful exploitation requires not only that a customer enable BlackBerry Protect, use the feature to reset the device password and download a specifically crafted malicious app, but also that an attacker gain physical access to the phone; BlackBerry said in its advisory. If all of the specific requirements are met for exploitation, an attacker could potentially access or modify data on the device.

The vulnerability could enable a malicious application downloaded by the user to compromise weak permissions on a BlackBerry Protect object to compromise the device. By doing so, the app could gain the device password if a reset is requested through Protect; it also could prevent the device from executing commands from Protect such as remote wipe.

If all these conditions exist, an attacker could access BlackBerry Hub, applications and data, unlock the work perimeter compartment on the device, access the device over a USB tether in order to view files, change device passwords or access local and enterprise services.

BlackBerry Enterprise Server administrators are urged to disallow computer access to Work Space on the device, disallow the use of the same password for WorkSpace as for the rest of the device, require a password for Work Space, and restrict Development mode.

BlackBerry customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without significant customer interaction and physical access to the device BlackBerry's Adrian Stone, director of security incident response and threat analysis, said in a statement. While successful exploitation requires several specific conditions, and there are no current attacks on customers, we recommend BlackBerry Z10 users install the latest software update to be fully protected from this issue.

As for the second advisory, Adobe Flash Player versions earlier than 10.0.10.648 included with Z10 are affected while versions 2.1.0.1526 on the PlayBook are impacted. Users are urged to upgrade on both platforms. BlackBerry stressed that the vulnerability is not in the operating system, nor is it being exploited in the wild.

Successful exploitation of this issue could potentially result in an attacker being able to execute arbitrary code in the context of the application that opens the specially crafted Adobe Flash content (typically the web browser), the advisory says. Failed exploitation of this issue might result in abnormal or unexpected termination of the application.

In order for an exploit to execute, the user must interact with a malicious .swf application embedded in website content or via an email attachment over webmail through a browser on one of the devices. The sandbox protection also built into both BlackBerry platforms is a mitigating factor here, BlackBerry said.

The vulnerability is described in CVE-2013-0630 as a buffer overflow in Adobe Flash Player before 10.3.183.50 and 11.x before 11.5.502.146 on Windows and Mac OS X.

Unlike on the PlayBook tablet, Flash is not enabled by default on the Z10 and users must turn it on to view Flash content on the phone's browser, BlackBerry said.

The attacker cannot force the user to access the content or bypass the requirement that the user chooses to access the content, the advisory said."

Source threatpost.com
__________________
fere libenter homines id quod volunt credunt

Last edited by ZombieBerry; 06-12-2013 at 01:21 PM.. Reason: Format and Stuff
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump

Similar Threads for: BlackBerry warns of possible exploit with Z10 and PlayBook
Thread Thread Starter Forum Replies Last Post
Icicle - A YouTube Downloader for the PlayBook and Z10 ZenConsult Aftermarket Software 0 03-13-2013 03:40 AM
Blackberry z10 BlinkBrian General Z10 Series Discussion - BlackBerry 10 11 02-02-2013 10:20 AM
Blackberry z10 Playbook Bridge? BlinkBrian General PlayBook Discussion 0 02-01-2013 07:49 PM


ABB Controller Door Interlock Switch 3HAC8367-1 picture

ABB Controller Door Interlock Switch 3HAC8367-1

$149.95



Omron Photoelectric Switch E3A2-XCM4 picture

Omron Photoelectric Switch E3A2-XCM4

$249.00



Heavy Duty Automotive Toggle Switch Panel On-Off Marine High Current 30A 12V-48V picture

Heavy Duty Automotive Toggle Switch Panel On-Off Marine High Current 30A 12V-48V

$31.69



NEW Fan/Limit Control Switch of Honeywell L4064B2210 11

NEW Fan/Limit Control Switch of Honeywell L4064B2210 11" IN BOX

$97.00



Implement Whisker Switch  picture

Implement Whisker Switch

$50.00



The Original EZ GENERATOR TRANSFER SWITCH - UL / CSA Approved - USA Made - 12OV picture

The Original EZ GENERATOR TRANSFER SWITCH - UL / CSA Approved - USA Made - 12OV

$98.99







Copyright © 2004-2016 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.