September 29, 2009 at 6:05 PM #174149
Al spotted this latest security advisory from RIM about their browser. Turns out that most of the official BlackBerry OS versions out there are susceptible to a browser certificate issue where NULL characters in the certificate can fool users into thinking they are on a trusted website.
RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages. If a user visits a site that causes a BlackBerry Browser dialog box to warn the user about continuing the connection, the user should select Close connection.
Essentially a malicious hacker could send you a link to a website that has a certificate altered with hidden null characters. The phishing style attack can then send you an email and correctly popup a message saying that the certificate’s Common Name field does not match. The problem is that it wont show the null characters so it will look like the message to the right. Make sure to CLOSE THIS CONNECTION!
Sadly it looks like RIM is yet again playing the carrier waiting game and letting carriers approve the patched OS versions before releasing them. I guess RIM has yet to find a solution for Zero Day vulnerabilities that may arise in the future…
the table below lists the versions you need to have to no longer be susceptible to such a bug. Notice how AT&T is still on Bold OS 220.127.116.117… while version .303 is the patched version.
Current software version
Software version to update to
BlackBerry Device Software Version 4.5.0.x
BlackBerry Device Software Version 18.104.22.168 or later
BlackBerry Device Software Version 4.6.0.x
BlackBerry Device Software Version 22.214.171.1243 or later
BlackBerry Device Software Version 4.6.1.x
BlackBerry Device Software Version 126.96.36.1999 or later
BlackBerry Device Software Version 4.7.0.x
BlackBerry Device Software Version 188.8.131.52 or later
BlackBerry Device Software Version 4.7.1.x
BlackBerry Device Software Version 184.108.40.206 or laterSeptember 29, 2009 at 6:05 PM #181834
I could be wrong here, but the patch list looks like for GSM phones. Do you have the list for CDMA?
Wouldn't it be nice if when ever we messed up our live we could simply press ' Ctrl Alt Delete' and start all over??September 29, 2009 at 6:33 PM #181835
The patch list is for the OS version – regardless of if they are GSM vs CDMA. My 8330 Curve has OS 220.127.116.11, which is the latest available for that device. However, the table above states I should have 18.104.22.168….which I havent even seen in beta anywhere.
I do not, however, see any OS’s for earlier versions. I have users still on 4.2 or 4.3 so I will need to get them upgraded. I even have some 7290’s on 4.0 (UGH!), but there is no 4.5 OS for that old device…..September 29, 2009 at 6:39 PM #181836
Good point. I am not sure what the story is for older devices. Could be RIM did not want to bring attention to the fact that they have EOL’ed them for OS updatesSeptember 29, 2009 at 6:42 PM #181837
Ignore it and it will go away….we’ll get those users to upgrade their devices somehow!
Thanks for the info joolie. Do you know if the new os 5.0 will have the protection? Or Are we still vulnerable?
Wouldn't it be nice if when ever we messed up our live we could simply press ' Ctrl Alt Delete' and start all over??September 29, 2009 at 6:50 PM #181839
IMO, I would *guess* 5.0 will have it, but its hasn’t been released yet so can’t be sure (and who knows if the beta version floating about has it since it’s not official yet).September 29, 2009 at 7:21 PM #181840
Pretty obvious that:
A) RIM doesn’t care about devices not running at least 4.5. I think we are going to see that ALL solutions to anything arising on those devices is “Upgrade to new phone please”.
RIM isn’t going to say anything about 5.0, it isn’t released so technically NOBODY should be running but beta testers. Right.
C) Another speed bump for Storm, I’m SURE this will through the entire Verizon TA process back to square one to fix the flaws in .148.
Ronen HalevyKeymasterPosts: 2,906
Yeah!!! More OS upgrades…September 29, 2009 at 8:31 PM #181842
I love that the 22.214.171.124 is required but not even yet leaked for the Tour. It is only currently being pushed to limited numbers of Sprint BES users as far as I have heard.
You must be logged in to reply to this topic.