The Canadian company Research in Motion (RIM) has announced a handful of recently discovered vulnerabilities in its BlackBerry 6 handheld OS and BES for IBM Lotus Notes and Microsoft Exchange.
RIM reports that three newly discovered vulnerabilities in the BlackBerry 6 Webkit browser could allow a hacker to access and/or modify data stored within a BlackBerry 6 smartphone’s internal storage, as well as on its external media card. The flaws affect a number of BlackBerry smartphones running the BlackBerry 6 OS, including the Bold 9650, Bold 9700, Bold 9780, Curve 9300, Pearl 9100, Style 9670, and Torch 9800 handhelds.
RIM recommends updating your BlackBerry 6 smartphone’s OS to v220.127.116.112 for the Bold 9650, Curve 9330 smartphone, and Style 9670 smartphones; and to v18.104.22.1686 for the remaining affected devices. However, some wireless carriers have not yet released these software builds, so RIM recommends contacting your carrier and requesting the appropriate software if it’s not yet available to you.
Secondly, RIM reports a new BES flaw that could affect organizations that employ Microsoft’s Office Communications Server (OCS) 2007 R2 and/or the Microsoft Lync Server 2010 BlackBerry IM Client with certain versions of RIM’s BES for Lotus Notes and BES for Microsoft Exchange.
The full report and support can be found on RIM’s official release page but some details are included below.
“This security advisory addresses three specific vulnerabilities affecting the implementation of open source WebKit technology in the BlackBerry Browser in BlackBerry 6. Successful exploitation of the vulnerabilities requires the BlackBerry smartphone user to browse to a website that the attacker has maliciously designed. A successful attack could result in remote code execution (RCE) on a smartphone running BlackBerry 6. An attacker exploiting these vulnerabilities could read or write to the built-in media storage section of a BlackBerry smartphone or to the media card but could not access user data that the email, calendar, and contact applications store in the application storage (the internal file system that stores application data and user data) of the BlackBerry smartphone.
The most severe of the three vulnerabilities has a CVSS score of 6.8. The least severe has a CVSS score of 5.0.
At this time there is no evidence of the vulnerabilities being used in attacks against the BlackBerry platform, and RIM is not aware of any impact to BlackBerry customers as a result of these vulnerabilities..
RIM has issued the following updates that resolve these vulnerabilities in BlackBerry 6. RIM recommends that all affected users apply the available software updates below to fully protect their BlackBerry smartphones.
To check for the following available updates for your BlackBerry Device Software, visithttp://www.blackberry.com/updates/ or connect your BlackBerry smartphone to your BlackBerry Desktop Software to automatically check for the following updates.
Note: If http://www.blackberry.com/updates/ or your BlackBerry Desktop Software indicates that your software is up to date but you are running an applications version earlier than the version for your BlackBerry smartphone model listed below, contact your wireless service provider to request the software update listed below.”
Leave a reply