(Via: BlackBerryForums.com.au: Blackberry Browser Security issue )
Research In Motion (NSDQ: RIMM) issued a security patch that fixes a vulnerability that potentially leaves BlackBerry users open to phishing attacks.
The flaw enables a malicious coder to trick BlackBerry users into visiting a potentially malicious Web site by making the device think the site is a trusted one. To exploit this, attackers would need to create a site that uses null characters in the certificate’s Common Name field. The device detects the mismatch between the domain name and the certificate, but the warning screen doesn’t display the hidden character, making the user think the site is trusted.
“The updated BlackBerry device software is designed to depict null characters in the BlackBerry browser dialog box that appears when the user visits a Web site with a certificate that does not match the site domain name,” RIM said in a security note. “In the updated BlackBerry device software, the BlackBerry device represents previously hidden null characters with a block, and highlights the non-matching portion of the domain name in bold.”
The security flaw was brought to RIM’s attention by Mobile Security Labs and CESG, and it impacts various BlackBerry models with the 4.5 version of the operating system or later. Individual users and BlackBerry Enterprise Software managers can check for updates from RIM’s Web site, and the company advises BlackBerry users to exercise caution when clicking on links they receive from SMS messages or e-mail.
The mobile platforms have not been a major target of malicious coders, particularly because the wide variety of operating systems makes mobile devices a harder target than Windows desktop machines. But as more users carry sensitive data on their handsets, most industry experts speculate it will only be a matter of time before a widespread mobile virus emerges.
DavidB ( View Profile) Guru - Posts: 1751
Posted: October 3, 2009 at 9:02 AM EST from my BlackBerry 9530
This is the same flaw Ronen posted about earlier in the week? http://www.berryreview.com/2009/09/29/rim-reveals-browser-certificate-vulnerability/
The same flaw that no carrier has released an OS update to fix yet???
ErnieH ( View Profile) Newcomer - Posts: 18
Posted: October 3, 2009 at 8:19 PM EST
I couldn’t find any “updates from RIM’s Web site”. Please share if anyone finds it.
rizky Not Registered
Posted: October 4, 2009 at 11:46 PM EST
just comments i wont shared information
Genaro201 ( View Profile) Newcomer - Posts: 45
Posted: October 5, 2009 at 8:11 AM EST
is this the reason y my blackberry internet browser hasnt been working, i cant even log on to aim or anything like that. then i call customer service, they make me delete all browsercofigurations from my service book, and i cant put it back on my phone. so im stuck with only tmobile browser and hotspot. i have no option anymore for the blackberry internet browser, anyone know how i can get it back. im going to give this a try if there is an update on the site, maybe it can fix my problem. This is So Frustrating.
Genaro
Name (required) Not Registered
Posted: October 5, 2009 at 11:59 AM EST
My question for RIM is, how exactly has this flaw been patched? There is no information listed in the above statement that explains that, other than stating “Device software updates”.
In RIM’s original statement they said the following:
Applications version to update to
Version 4.5.0.x -> Version 4.5.0.173 or later
Version 4.6.0.x -> Version 4.6.0.303 or later
Version 4.6.1.x -> Version 4.6.1.309 or later
Version 4.7.0.x -> Version 4.7.0.179 or later
Version 4.7.1.x -> Version 4.7.1.57 or later
However, the problem here lays in the fact that TECHNICALLY, you have to rely on your CARRIER to release the OS update. Just doing a quick search for the current available OS upgrades from carriers, I see the following:
8350i Most Current Upgrade: 4.6.1.204
8330 Sprint Most Current Upgrade: 4.5.0.131
8900 TMO Most Current Upgrade: 4.6.1.231
8520 TMO Most Current Upgrade: 4.6.1.259
8320 TMO Most Current Upgrade: 4.5.0.81
8900 ATT Most Current Upgrade: 4.6.1.231
So how exactly are users supposed to “upgrade” their device software to fix this flaw and still stay within the “Technical” warranty requirements of their carrier?
Most carriers won’t check the OS version to see if it is an “official version authorized by them” if a device comes back in for a warranty replacement, however, they could.
So what is the average Joe Consumer to do? Wait on an official OS upgrade? Search the internet to find a leaked BETA?
RIM said a long time ago (about a year ago) that they were going to “take the OS upgrades out of the carriers hands”. So why hasn’t that been done yet? And when are the carriers planning on releasing new software in order to “patch” this flaw”?
So in closing, like I mentioned to begin with, where is the “patch” at in the above statement that RIM released? There is no real information there for anyone to gather anything off of.