This latest security advisory goes to show why RIM’s current model for carrier approved OS updates is not ideal. RIM put out what they call a security notice about a BlackBerry 6 WebKit browser vulnerability back in March of this year for an exploit found in the BlackBerry 6 Browser at Pwn2Own that month. RIM said back then that devices updated to OS 126.96.36.1996+ were safe from the vulnerability. They then finally issued a security advisory this week for the same old vulnerability with quite a few more details about it.
The reason RIM took so long to release the advisory was because RIM had to wait for carriers to approve the security software update. RIM provided the fix within two weeks of learning of the vulnerability. Now SIX MONTHS LATER RIM has found that “a sufficient number of wireless services providers” have made the update available to their customers.
Here is RIM’s explanation for the delay:
A sufficient number of wireless service providers must make a security software update for BlackBerry smartphones publicly available to customers before RIM will publish full details of the software update in a Security Advisory. RIM delivered the software updates to its wireless service provider partners. Where a wireless service provider may not have then provided the software updates to all customers, this policy is intended to protect those customers from increased risk of exploitation.
Within two weeks of learning of the vulnerabilities that this Security Advisory addresses RIM tested and delivered fixed software to our wireless service provider partners for their Technical Acceptance process. During the Technical Acceptance process, RIM monitored update availability for nine affected devices available through nearly 500 carriers globally until an availability level was achieved that allowed us to be confident that disclosure of the security vulnerabilities addressed by the software update would protect the interests of the majority of our customers.
RIM continues to work with our partners to expedite the process of software update delivery to BlackBerry smartphone customers.
Note: KB26132 was previously published as a Security Notice to responsibly advise customers about the existence of one of the three vulnerabilities, which had been publicly disclosed, and provide workaround options in lieu of a software update to address that issue for all affected customers. This Security Advisory replaces that Security Notice and provides full details of publicly available software updates that address that issue and two related issues, and urges affected customers to upgrade.
Six months to roll out a relatively critical software update is simply ridiculous in this fast changing security scene… Thankfully the PlayBook QNX based OS has been consistently pushing out security updates within 2 weeks or so.