BlackBerry vulnerability exposed at Pwn2Own; no fix in sight

By on Mar 17, 2011 at 12:42 PM
Security March 17, 2011

In light of a WebKit vulnerability discovered at this year’s Pwn2Own conference in Vancouver, Research In Motion has issued a bulletin for its most security conscious customers. Affecting handsets running BlackBerry Device Software version 6.0 or higher, the exploit could allow an attacker to gain access to data stored on the media card or in the media storage area built into BlackBerry devices. RIM notes that the vulnerability does not grant attackers access to email, calendar, contact, or application store data. Regardless, if you’re reading this with your tinfoil hat on, the company has issued a list of workarounds that can mitigate your risk to the hack. Standalone users can disable JavaScript in their Internet browser — JavaScript is not the root of the problem, but the use of JavaScript is required to execute the vulnerability. BlackBerry Enterprise Server administrators can disable the BlackBerry browser altogether from the BES console — which, as you can imagine, has other implications. RIM has yet to comment on when a more permanent fix might become available, but it has issued a statement saying it is, “investigating the issue to determine the best resolution for protecting BlackBerry smartphone users.”

Read

Tags:
, , , , , , , , , , , , ,
27 Comments

Related Articles

  • http://twitter.com/Havalo Havalo Lolawo

    Old news?

    • RudyH

      Quite old

      The same hack they tried doing on WebKit didn’t work, the same one that took out the iPhone 4 in 5 seconds. So they threw 3 more hacks at the Blackberry and eventually it gave up.

      RIM should have NEVER used Apple’s coding, Apple is horrible at anything security related as Pwn2Own proved for the past 5 years from Mac OS X to iOS.

      • http://www.facebook.com/profile.php?id=1001483324 Gerry Quaglia

        Guess you didn’t read the article where it said, BB OS is secure not by design, but because its guts are undocumented and obscure. Once someone decides they want to take down BB OS, then it will happen. They also said Apple is faring far better in security on the iphone then BB is.

      • Guest

        Apple is better… then it used to be… it still not good enough.. and as far as security goes… nothing is bulletproof

      • Anonymous

        I’m not certain RudyH can read at all.

      • Right-o

        @Gerry:

        Not a single one of your sentences make any sense whatsoever.

        1st sentence: BB OS’s longstanding and ongoing security certifications mean full disclosure to government bureaucrats and propeller heads. Translation: there is more documentation than you can shake a stick at. BB OS is secure by design and requirement by its customers – banks, governments, corporations.

        2nd sentence: I am sure that banks, governments and corporations all make highly valuable targets, more than the typical iPhone-toting Foursquare/Twitter-using hotshot. I’m sure lots of people want to take them down. If they’d succeeded, the word would get out very fast. “They” did not succeed.

        3rd sentence: Most security phones on iPhone pretty well mean arbitrary code execution and pwning root. A security hole on a BB does not. BB OS is not a Unix clone, and all data is encrypted, so arbitrary code execution doesn’t really get far. As for what happens when QNX is used, that’s another story.

        But don’t take my word for it. Ask the pwn2own crowd whether they think “Apple fares far better in security on the iPhone than BB.” The fact is Apple doesn’t even fare well on security compared to Microsoft.

  • http://pulse.yahoo.com/_GP2WYAHXS6CRUREISWBGPUSUGE Michael

    @RudyH, Blackberry’s use of a WebKit browser is nothing related to iOS, and or Apple and is subsidiaries.

    WebKit browsers are a designed that may use a universal style coding but it has nothing to do with Apple. Don’t you think they would of patented it to prevent anyone else from using it.

    RIM got it’s dick smack, that’s all there is to it. And they got it smacked in pure Jackass fashion.

    • Kevin

      Silly Michael, trix are for kids. Don’t get so butthurt when Apple gets criticized and spout nonsense.

      • http://pulse.yahoo.com/_GP2WYAHXS6CRUREISWBGPUSUGE Michael

        Dude I could care less about apple. A quick journey through my post history would prove that.

  • http://twitter.com/wafguy WAF Guy

    Has Apple issued a bulletin suggesting workarounds to the Safari vulnerability demonstrated at Pwn2Own? (Or, better yet, a fix?)

    If not, then maybe the headline should read: WebKit Vulnerabilities at Pwn2Own: RIM gives a shit, Apple, not so much.

    • Anonymous

      What does this have to do with apple? You stupid ass troll, BB article, stay on topic

      • http://twitter.com/wafguy WAF Guy

        I think my comment had more to do with BGR then either Apple or BB.

    • http://www.bgr.com Andrew Munchbach

      Apple patched that specific hole in Safari: http://support.apple.com/kb/HT4566

      • http://twitter.com/wafguy WAF Guy

        Despite the snark, I was kinda looking to know if that was the case. Thx for the response.

      • http://www.bgr.com Andrew Munchbach

        You’re most welcome… you’re snark is why I love you.

  • QNX Please

    Yes because companies are usually able to issue fixes 48 hrs after a known exploit is found… This exploit isnt even serious, oh no they got ahold of my music!! FML.

  • Anonymous

    These conferences are pretty sweet.

  • Anonymous

    This is a non-story. I mean, no one who would even visit BGR would still use a BlackBerry, right?

    Oops, sorry Andrew.

    • http://www.bgr.com Andrew Munchbach

      Ha. I’ve moved on to an iPhone, sadly. I do miss my Berry though *sigh*

      • QNX Please

        Pretty sure its a pre-requisite to own an iPhone if you wish to work for BGR.

      • http://www.bgr.com Andrew Munchbach

        I would love to use an Android device, but I haven’t found one that will respect the security password timeout policy on our Exchange server. I absolutely hate typing my password into a phone every time I want to use it. Drives me crazy.

    • Ghenderson1

      I do. Have had 3 macs never getting an iphone.

  • Max

    Just turn of javascript on your ancient browser, Blackberry MORONS. When you use 1997 technology (which is still way way too advanced for most Blackberry users), expect your system to get hacked by 2 year olds. Blackberry is for tech know-nothing morons who can only use a physical keyboard and play brickbreaker all day.

    • http://caspan.com Caspan

      I think you mean our newer them Apples browser got exploited. This is the best browser out their on a smart phone to date. Don’t even have a clue what your talking about. I believe this site calls people like you trolls, no idea but love to run their mouths!

  • DavidB

    So now the BlackBerry 6 browser will be almost as crippled as the browser on BlackBerry 5 and earlier has been for like FOREVER. Anyone that wants to even remotely TRY to get “on the web” with the older BlackBerry browser and knows what they’re doing has had JS disabled as one of the first steps taken once activating the phone! The 624MHz (or slower) CPU on every BlackBerry on the market today is totally swamped by practically ANY JavaScript such that it’s essentially impractical to keep it enabled.

  • Anonymous

    “NO FIX IN SIGHT” I guess you guys at BGR did not read the whole press release. They did say that a hot fix was coming. So spin away as you always do and keep reporting the most F*****-up side to all of your stories. Oh and btw the webkit browser that you are trying to put down is not less secure than that of your highly prized Iphone browser, that uses the same tech behind it. One more thing I think the Iphone fall to the same hack and they did it even faster on day ONE.

  • KCRic

    Wow, it amazes me how retarded Apple people are that comment on here. This was the new browser, not the slow as dog shit browser from back in the day. Webkit, you know, the same shit your iFail uses. Anyway, Blackberry users have the option to encrypt their sdcard and all other data on the internal storage (though most common users don’t). Even if some exploit gained access to the information they’ll have one hell of a time decrypting it, more than they want to mess with. If it’s espionage, well government officials get extra encryption measures on their Blackberry’s so it makes the process even more difficult. Piss off you iFail wannabe tech geniuses.

blog comments powered by Disqus