Al spotted this latest security advisory from RIM about their browser. Turns out that most of the official BlackBerry OS versions out there are susceptible to a browser certificate issue where NULL characters in the certificate can fool users into thinking they are on a trusted website.
RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages. If a user visits a site that causes a BlackBerry Browser dialog box to warn the user about continuing the connection, the user should select Close connection.
Essentially a malicious hacker could send you a link to a website that has a certificate altered with hidden null characters. The phishing style attack can then send you an email and correctly popup a message saying that the certificate’s Common Name field does not match. The problem is that it wont show the null characters so it will look like the message to the right. Make sure to CLOSE THIS CONNECTION!
Sadly it looks like RIM is yet again playing the carrier waiting game and letting carriers approve the patched OS versions before releasing them. I guess RIM has yet to find a solution for Zero Day vulnerabilities that may arise in the future…
the table below lists the versions you need to have to no longer be susceptible to such a bug. Notice how AT&T is still on Bold OS 4.6.0.297… while version .303 is the patched version.
Current software version |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
