RIM Reveals Browser Certificate Vulnerability

invalid_certificate Al spotted this latest security advisory from RIM about their browser. Turns out that most of the official BlackBerry OS versions out there are susceptible to a browser certificate issue where NULL characters in the certificate can fool users into thinking they are on a trusted website.

From RIM’s Advisory:

RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages. If a user visits a site that causes a BlackBerry Browser dialog box to warn the user about continuing the connection, the user should select Close connection.

Essentially a malicious hacker could send you a link to a website that has a certificate altered with hidden null characters. The phishing style attack can then send you an email and correctly popup a message saying that the certificate’s Common Name field does not match. The problem is that it wont show the null characters so it will look like the message to the right. Make sure to CLOSE THIS CONNECTION!

Sadly it looks like RIM is yet again playing the carrier waiting game and letting carriers approve the patched OS versions before releasing them. I guess RIM has yet to find a solution for Zero Day vulnerabilities that may arise in the future…

the table below lists the versions you need to have to no longer be susceptible to such a bug. Notice how AT&T is still on Bold OS 4.6.0.297… while version .303 is the patched version.

Current software version

Software version to update to

BlackBerry Device Software Version 4.5.0.x

BlackBerry Device Software Version 4.5.0.173 or later

BlackBerry Device Software Version 4.6.0.x

BlackBerry Device Software Version 4.6.0.303 or later

BlackBerry Device Software Version 4.6.1.x

BlackBerry Device Software Version 4.6.1.309 or later

BlackBerry Device Software Version 4.7.0.x

BlackBerry Device Software Version 4.7.0.179 or later

BlackBerry Device Software Version 4.7.1.x

BlackBerry Device Software Version 4.7.1.57 or later
9 total comments on this postSubmit your comment!
  1. I could be wrong here, but the patch list looks like for GSM phones. Do you have the list for CDMA?

  2. The patch list is for the OS version – regardless of if they are GSM vs CDMA. My 8330 Curve has OS 4.5.0.169, which is the latest available for that device. However, the table above states I should have 4.5.0.173….which I havent even seen in beta anywhere.

    I do not, however, see any OS’s for earlier versions. I have users still on 4.2 or 4.3 so I will need to get them upgraded. I even have some 7290′s on 4.0 (UGH!), but there is no 4.5 OS for that old device…..

  3. Thanks for the info joolie. Do you know if the new os 5.0 will have the protection? Or Are we still vulnerable?

    • IMO, I would *guess* 5.0 will have it, but its hasn\’t been released yet so can\’t be sure (and who knows if the beta version floating about has it since it\’s not official yet).

  4. Pretty obvious that:
    A) RIM doesn’t care about devices not running at least 4.5. I think we are going to see that ALL solutions to anything arising on those devices is “Upgrade to new phone please”.
    B) RIM isn’t going to say anything about 5.0, it isn’t released so technically NOBODY should be running but beta testers. Right.
    C) Another speed bump for Storm, I’m SURE this will through the entire Verizon TA process back to square one to fix the flaws in .148. :(

  5. Yeah!!! More OS upgrades…

  6. I love that the 4.7.1.57 is required but not even yet leaked for the Tour. It is only currently being pushed to limited numbers of Sprint BES users as far as I have heard.

2 total pingbacks on this post

BlackBerry© is a registered Trademark of BlackBerry Limited. BerryReview is in no way affiliated with BlackBerry Limited though sometimes their lawyers send us love letters...

Copyright © 2007-‘2014’ BerryReview LLC