October 3, 2009 at 1:02 PM #174173
Greg MyersParticipantPosts: 36
(Via: BlackBerryForums.com.au: Blackberry Browser Security issue )
Research In Motion (NSDQ: RIMM) issued a security patch that fixes a vulnerability that potentially leaves BlackBerry users open to phishing attacks.
The flaw enables a malicious coder to trick BlackBerry users into visiting a potentially malicious Web site by making the device think the site is a trusted one. To exploit this, attackers would need to create a site that uses null characters in the certificate’s Common Name field. The device detects the mismatch between the domain name and the certificate, but the warning screen doesn’t display the hidden character, making the user think the site is trusted.
“The updated BlackBerry device software is designed to depict null characters in the BlackBerry browser dialog box that appears when the user visits a Web site with a certificate that does not match the site domain name,” RIM said in a security note. “In the updated BlackBerry device software, the BlackBerry device represents previously hidden null characters with a block, and highlights the non-matching portion of the domain name in bold.”
The security flaw was brought to RIM’s attention by Mobile Security Labs and CESG, and it impacts various BlackBerry models with the 4.5 version of the operating system or later. Individual users and BlackBerry Enterprise Software managers can check for updates from RIM’s Web site, and the company advises BlackBerry users to exercise caution when clicking on links they receive from SMS messages or e-mail.
The mobile platforms have not been a major target of malicious coders, particularly because the wide variety of operating systems makes mobile devices a harder target than Windows desktop machines. But as more users carry sensitive data on their handsets, most industry experts speculate it will only be a matter of time before a widespread mobile virus emerges.
RIM Patches BlackBerry Phishing FlawOctober 3, 2009 at 1:02 PM #181933
This is the same flaw Ronen posted about earlier in the week? http://www.berryreview.com/2009/09/29/rim-reveals-browser-certificate-vulnerability/
The same flaw that no carrier has released an OS update to fix yet???
Verizon Bold 9930 work
Verizon Droid Bionic playOctober 4, 2009 at 12:19 AM #181934
I couldn’t find any “updates from RIM’s Web site”. Please share if anyone finds it.October 5, 2009 at 3:46 AM #181935
Ronen HalevyKeymasterPosts: 2,906
just comments i wont shared informationOctober 5, 2009 at 12:11 PM #181936
is this the reason y my blackberry internet browser hasnt been working, i cant even log on to aim or anything like that. then i call customer service, they make me delete all browsercofigurations from my service book, and i cant put it back on my phone. so im stuck with only tmobile browser and hotspot. i have no option anymore for the blackberry internet browser, anyone know how i can get it back. im going to give this a try if there is an update on the site, maybe it can fix my problem. This is So Frustrating.
**Genaro**October 5, 2009 at 3:59 PM #181937
Ronen HalevyKeymasterPosts: 2,906
My question for RIM is, how exactly has this flaw been patched? There is no information listed in the above statement that explains that, other than stating “Device software updates”.
In RIM’s original statement they said the following:
Applications version to update to
Version 4.5.0.x -> Version 184.108.40.206 or later
Version 4.6.0.x -> Version 220.127.116.113 or later
Version 4.6.1.x -> Version 18.104.22.1689 or later
Version 4.7.0.x -> Version 22.214.171.124 or later
Version 4.7.1.x -> Version 126.96.36.199 or later
However, the problem here lays in the fact that TECHNICALLY, you have to rely on your CARRIER to release the OS update. Just doing a quick search for the current available OS upgrades from carriers, I see the following:
8350i Most Current Upgrade: 188.8.131.52
8330 Sprint Most Current Upgrade: 184.108.40.206
8900 TMO Most Current Upgrade: 220.127.116.11
8520 TMO Most Current Upgrade: 18.104.22.1689
8320 TMO Most Current Upgrade: 22.214.171.124
8900 ATT Most Current Upgrade: 126.96.36.199
So how exactly are users supposed to “upgrade” their device software to fix this flaw and still stay within the “Technical” warranty requirements of their carrier?
Most carriers won’t check the OS version to see if it is an “official version authorized by them” if a device comes back in for a warranty replacement, however, they could.
So what is the average Joe Consumer to do? Wait on an official OS upgrade? Search the internet to find a leaked BETA?
RIM said a long time ago (about a year ago) that they were going to “take the OS upgrades out of the carriers hands”. So why hasn’t that been done yet? And when are the carriers planning on releasing new software in order to “patch” this flaw”?
So in closing, like I mentioned to begin with, where is the “patch” at in the above statement that RIM released? There is no real information there for anyone to gather anything off of.
You must be logged in to reply to this topic.