Forgot your password?

RIM Publishes Full Security Advisory for Old BlackBerry 6 WebKit Vulnerability

BlackBerry Torch 9800 hacked

This latest security advisory goes to show why RIM’s current model for carrier approved OS updates is not ideal. RIM put out what they call a security notice about a BlackBerry 6 WebKit browser vulnerability back in March of this year for an exploit found in the BlackBerry 6 Browser at Pwn2Own that month. RIM said back then that devices updated to OS were safe from the vulnerability. They then finally issued a security advisory this week for the same old vulnerability with quite a few more details about it.

The reason RIM took so long to release the advisory was because RIM had to wait for carriers to approve the security software update. RIM provided the fix within two weeks of learning of the vulnerability. Now SIX MONTHS LATER RIM has found that “a sufficient number of wireless services providers” have made the update available to their customers.

Here is RIM’s explanation for the delay:

A sufficient number of wireless service providers must make a security software update for BlackBerry smartphones publicly available to customers before RIM will publish full details of the software update in a Security Advisory. RIM delivered the software updates to its wireless service provider partners. Where a wireless service provider may not have then provided the software updates to all customers, this policy is intended to protect those customers from increased risk of exploitation.

Within two weeks of learning of the vulnerabilities that this Security Advisory addresses RIM tested and delivered fixed software to our wireless service provider partners for their Technical Acceptance process. During the Technical Acceptance process, RIM monitored update availability for nine affected devices available through nearly 500 carriers globally until an availability level was achieved that allowed us to be confident that disclosure of the security vulnerabilities addressed by the software update would protect the interests of the majority of our customers.

RIM continues to work with our partners to expedite the process of software update delivery to BlackBerry smartphone customers.

Note: KB26132 was previously published as a Security Notice to responsibly advise customers about the existence of one of the three vulnerabilities, which had been publicly disclosed, and provide workaround options in lieu of a software update to address that issue for all affected customers. This Security Advisory replaces that Security Notice and provides full details of publicly available software updates that address that issue and two related issues, and urges affected customers to upgrade.

Six months to roll out a relatively critical software update is simply ridiculous in this fast changing security scene… Thankfully the PlayBook QNX based OS has been consistently pushing out security updates within 2 weeks or so.

6 total comments on this postSubmit your comment!
  1. RIM better not give carriers any say at all when it comes to BBX updates…

  2. The process isn’t really any different than say Android though… Users could easily wait a long time until a new android OS rolls out via manufacturers or carriers with security or bug fixes.

  3. I have held off loading OS 6 until my carrier has a version that is secure. Six months later and Rogers is still at an app version below that level needed. Grrrrrr.

  4. Ooppps. The BlackBerry Software download site (RIM’s Site) I always use for Rogers is at version (Bundle 1879). But if I check it from the Desktop App, it has version (Bundle 2921) which I see has had a number of issues with it. There needs to be a better way…


    The carrier controlled model is dead.

    Carriers care more about testing new phones than updating current ones. Too many Android phones are flooding the market so carriers have too big a responsibility to test. It is not feasible or practical to continue this model.

3 total pingbacks on this post

BlackBerry© is a registered Trademark of BlackBerry Limited. BerryReview is in no way affiliated with BlackBerry Limited though sometimes their lawyers send us love letters...

Copyright © 2007-‘2016’ BerryReview LLC