BerryReview.com - BlackBerry News and Reviews
Forgot? | Register
Shop The BerryReview Store

RIM Reveals Browser Certificate Vulnerability

by Ronen Halevy on Sep 29th, 2009 at 12:58 pm EST
11 Comments »
 

invalid_certificate Al spotted this latest security advisory from RIM about their browser. Turns out that most of the official BlackBerry OS versions out there are susceptible to a browser certificate issue where NULL characters in the certificate can fool users into thinking they are on a trusted website.

From RIM’s Advisory:

RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages. If a user visits a site that causes a BlackBerry Browser dialog box to warn the user about continuing the connection, the user should select Close connection.

Essentially a malicious hacker could send you a link to a website that has a certificate altered with hidden null characters. The phishing style attack can then send you an email and correctly popup a message saying that the certificate’s Common Name field does not match. The problem is that it wont show the null characters so it will look like the message to the right. Make sure to CLOSE THIS CONNECTION!

Sadly it looks like RIM is yet again playing the carrier waiting game and letting carriers approve the patched OS versions before releasing them. I guess RIM has yet to find a solution for Zero Day vulnerabilities that may arise in the future…

the table below lists the versions you need to have to no longer be susceptible to such a bug. Notice how AT&T is still on Bold OS 4.6.0.297… while version .303 is the patched version.

Current software version

Software version to update to

BlackBerry Device Software Version 4.5.0.x

BlackBerry Device Software Version 4.5.0.173 or later

BlackBerry Device Software Version 4.6.0.x

BlackBerry Device Software Version 4.6.0.303 or later

BlackBerry Device Software Version 4.6.1.x

BlackBerry Device Software Version 4.6.1.309 or later

BlackBerry Device Software Version 4.7.0.x

BlackBerry Device Software Version 4.7.0.179 or later

BlackBerry Device Software Version 4.7.1.x

BlackBerry Device Software Version 4.7.1.57 or later
Please Share With A Friend!

This entry was posted on Tuesday, September 29th, 2009 and is filed under News.
Tags: , , ,

If you enjoyed this article, make sure you subscribe to our RSS Feed to stay on top of the latest BlackBerry news you can use.

Previous Post: »
Next Post: »

If you liked this article, you might find these interesting:

Latest Articles:

11 Comments to “RIM Reveals Browser Certificate Vulnerability

  1. Posted by: automan69
    September 29, 2009 at 2:05 pm EST

    I could be wrong here, but the patch list looks like for GSM phones. Do you have the list for CDMA?

    Reply
  2. Posted by: Joolie
    September 29, 2009 at 2:33 pm EST

    The patch list is for the OS version – regardless of if they are GSM vs CDMA. My 8330 Curve has OS 4.5.0.169, which is the latest available for that device. However, the table above states I should have 4.5.0.173….which I havent even seen in beta anywhere.

    I do not, however, see any OS’s for earlier versions. I have users still on 4.2 or 4.3 so I will need to get them upgraded. I even have some 7290’s on 4.0 (UGH!), but there is no 4.5 OS for that old device…..

    Reply
  3. Posted by: automan69
    September 29, 2009 at 2:47 pm EST

    Thanks for the info joolie. Do you know if the new os 5.0 will have the protection? Or Are we still vulnerable?

    Reply
    • Posted by: Joolie
      September 29, 2009 at 2:50 pm EST

      IMO, I would *guess* 5.0 will have it, but its hasn\’t been released yet so can\’t be sure (and who knows if the beta version floating about has it since it\’s not official yet).

      Reply
  4. Posted by: DavidB
    September 29, 2009 at 3:21 pm EST

    Pretty obvious that:
    A) RIM doesn’t care about devices not running at least 4.5. I think we are going to see that ALL solutions to anything arising on those devices is “Upgrade to new phone please”.
    B) RIM isn’t going to say anything about 5.0, it isn’t released so technically NOBODY should be running but beta testers. Right.
    C) Another speed bump for Storm, I’m SURE this will through the entire Verizon TA process back to square one to fix the flaws in .148. :(

    Reply
  5. Posted by: Jeremy
    September 29, 2009 at 4:14 pm EST

    Yeah!!! More OS upgrades…

    Reply
  6. Posted by: Kaediil
    September 29, 2009 at 4:31 pm EST

    I love that the 4.7.1.57 is required but not even yet leaked for the Tour. It is only currently being pushed to limited numbers of Sprint BES users as far as I have heard.

    Reply

Subscribe without commenting

Leave a Reply

Save yourself some time by quickly logging in or registering

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner. FYI: Links will automatically be hyperlinked so there is no need to use HTML

Websites linking to this article (AKA Trackbacks/Pingbacks)

  1. RIM reveals security issue with BlackBerry browser | BB Geeks
  2. Fallo de seguridad en el Browser de BlackBerry | miBlackBerry.com - Noticias, Software, Temas, Juegos y Accesorios para BlackBerry