Forgot your password?

RIM Reveals Browser Certificate Vulnerability

Home Forums BlackBerry News RIM Reveals Browser Certificate Vulnerability

This topic contains 9 replies, has 3 voices, and was last updated by  Ronen Halevy 7 years, 2 months ago.

Viewing 10 posts - 1 through 10 (of 10 total)
  • Author
    Posts
  • #174149

    Ronen Halevy
    Keymaster
    Posts: 2,906

    invalid_certificate Al spotted this latest security advisory from RIM about their browser. Turns out that most of the official BlackBerry OS versions out there are susceptible to a browser certificate issue where NULL characters in the certificate can fool users into thinking they are on a trusted website.

    From RIM’s Advisory:

    RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages. If a user visits a site that causes a BlackBerry Browser dialog box to warn the user about continuing the connection, the user should select Close connection.

    Essentially a malicious hacker could send you a link to a website that has a certificate altered with hidden null characters. The phishing style attack can then send you an email and correctly popup a message saying that the certificate’s Common Name field does not match. The problem is that it wont show the null characters so it will look like the message to the right. Make sure to CLOSE THIS CONNECTION!

    Sadly it looks like RIM is yet again playing the carrier waiting game and letting carriers approve the patched OS versions before releasing them. I guess RIM has yet to find a solution for Zero Day vulnerabilities that may arise in the future…

    the table below lists the versions you need to have to no longer be susceptible to such a bug. Notice how AT&T is still on Bold OS 4.6.0.297… while version .303 is the patched version.

    Current software version

    Software version to update to

    BlackBerry Device Software Version 4.5.0.x

    BlackBerry Device Software Version 4.5.0.173 or later

    BlackBerry Device Software Version 4.6.0.x

    BlackBerry Device Software Version 4.6.0.303 or later

    BlackBerry Device Software Version 4.6.1.x

    BlackBerry Device Software Version 4.6.1.309 or later

    BlackBerry Device Software Version 4.7.0.x

    BlackBerry Device Software Version 4.7.0.179 or later

    BlackBerry Device Software Version 4.7.1.x

    BlackBerry Device Software Version 4.7.1.57 or later

    RIM Reveals Browser Certificate Vulnerability

    #181834

    automan69
    Participant
    Posts: 108

    I could be wrong here, but the patch list looks like for GSM phones. Do you have the list for CDMA?

    Wouldn't it be nice if when ever we messed up our live we could simply press ' Ctrl Alt Delete' and start all over??

    #181835

    Ronen Halevy
    Keymaster
    Posts: 2,906

    The patch list is for the OS version – regardless of if they are GSM vs CDMA. My 8330 Curve has OS 4.5.0.169, which is the latest available for that device. However, the table above states I should have 4.5.0.173….which I havent even seen in beta anywhere.

    I do not, however, see any OS’s for earlier versions. I have users still on 4.2 or 4.3 so I will need to get them upgraded. I even have some 7290’s on 4.0 (UGH!), but there is no 4.5 OS for that old device…..

    #181836

    Ronen Halevy
    Keymaster
    Posts: 2,906

    Good point. I am not sure what the story is for older devices. Could be RIM did not want to bring attention to the fact that they have EOL’ed them for OS updates

    #181837

    Ronen Halevy
    Keymaster
    Posts: 2,906

    Ignore it and it will go away….we’ll get those users to upgrade their devices somehow! <img src="smileys/wink.gif" width="" height="" alt=";-)" title=";-)" class="bbcode_smiley" />‘ class=’http://www.berryreview.co/wp-smiley’ /> </p>

		
	</div><!-- .bbp-reply-content -->

</div><!-- #post-181837 -->

		
			
<div class="bbp-reply-header">

	<div class="bbp-meta">

		<span class="bbp-reply-post-date">September 29, 2009 at 6:47 PM</span>

		
		<a href="http://www.berryreview.com/forums/topic/rim-reveals-browser-certificate-vulnerability/#post-181838" title="Re: RIM Reveals Browser Certificate Vulnerability" class="bbp-reply-permalink">#181838</a>

		
		<span class="bbp-admin-links"></span>
		
	</div><!-- .bbp-meta -->

</div><!-- .bbp-reply-header -->

<div id="post-181838" class="even bbp-parent-forum-173567 bbp-parent-topic-174149 bbp-reply-position-7 user-id-744 post-181838 reply type-reply status-publish hentry">

	<div class="bbp-reply-author">

		
		<a href="http://www.berryreview.com/forums/users/automan69/" title="View automan69's profile" class="bbp-author-avatar" rel="nofollow"><img alt=
    automan69

    Participant
    Posts: 108

    Thanks for the info joolie. Do you know if the new os 5.0 will have the protection? Or Are we still vulnerable?

    Wouldn't it be nice if when ever we messed up our live we could simply press ' Ctrl Alt Delete' and start all over??

    #181839

    Ronen Halevy
    Keymaster
    Posts: 2,906

    IMO, I would *guess* 5.0 will have it, but its hasn’t been released yet so can’t be sure (and who knows if the beta version floating about has it since it’s not official yet).

    #181840

    DavidB
    Participant
    Posts: 103

    Pretty obvious that:

    A) RIM doesn’t care about devices not running at least 4.5. I think we are going to see that ALL solutions to anything arising on those devices is “Upgrade to new phone please”.

    B) RIM isn’t going to say anything about 5.0, it isn’t released so technically NOBODY should be running but beta testers. Right.

    C) Another speed bump for Storm, I’m SURE this will through the entire Verizon TA process back to square one to fix the flaws in .148. <img src="smileys/frown.gif" width="" height="" alt=":(" title=":(" class="bbcode_smiley" />‘ class=’http://www.berryreview.co/wp-smiley’ /> </p>
<div class="bbp-signature"><p>DavidB<br />
Verizon Bold 9930 work<br />
Verizon Droid Bionic play</p>
</div>
		
	</div><!-- .bbp-reply-content -->

</div><!-- #post-181840 -->

		
			
<div class="bbp-reply-header">

	<div class="bbp-meta">

		<span class="bbp-reply-post-date">September 29, 2009 at 8:14 PM</span>

		
		<a href="http://www.berryreview.com/forums/topic/rim-reveals-browser-certificate-vulnerability/#post-181841" title="Re: RIM Reveals Browser Certificate Vulnerability" class="bbp-reply-permalink">#181841</a>

		
		<span class="bbp-admin-links"></span>
		
	</div><!-- .bbp-meta -->

</div><!-- .bbp-reply-header -->

<div id="post-181841" class="odd bbp-parent-forum-173567 bbp-parent-topic-174149 bbp-reply-position-10 user-id-1 topic-author post-181841 reply type-reply status-publish hentry">

	<div class="bbp-reply-author">

		
		<a href="http://www.berryreview.com/forums/users/rhalevy/" title="View Ronen Halevy's profile" class="bbp-author-avatar" rel="nofollow"><img alt=
    Ronen Halevy

    Keymaster
    Posts: 2,906

    Yeah!!! More OS upgrades…

    #181842

    Ronen Halevy
    Keymaster
    Posts: 2,906

    I love that the 4.7.1.57 is required but not even yet leaked for the Tour. It is only currently being pushed to limited numbers of Sprint BES users as far as I have heard.

Viewing 10 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic.

BlackBerry© is a registered Trademark of BlackBerry Limited. BerryReview is in no way affiliated with BlackBerry Limited though sometimes their lawyers send us love letters...

Copyright © 2007-‘2016’ BerryReview LLC