BlackBerry released two security advisories on Tuesday, alerting customers about vulnerabilities that affect its BlackBerry Z10 smartphones and BlackBerry PlayBook tablets.
The first advisory, BSRT-2013-005, addresses Adobe Flash Player vulnerabilities integrated into specific versions of both the BlackBerry PlayBook and BlackBerry Z10 operating systems, the smartphone maker said.
The second advisory, BSRT-2013-006, addresses a vulnerability affecting select BlackBerry Z10 smartphones that are running earlier versions of the OS and have the BlackBerry Protect feature enabled.
“Successful exploitation requires a customer to be persuaded to access maliciously created Adobe Flash content in an email or on a webpage,” a security advisory explained. “The mail message could be received at a webmail account that the user accesses in a browser on a BlackBerry Z10 smartphone and/or the BlackBerry PlayBook tablet.”
“If all of the specific requirements are met for exploitation, an attacker could potentially execute arbitrary code in the context of the application that opens the specially crafted Adobe Flash content,” the advisory continued.
BlackBerry is not currently aware of any active attacks targeting its customers, but recommends that all customers apply the latest software updates to protect their devices.
“BlackBerry customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without significant customer interaction and physical access to the device,” explained – Adrian Stone, Director, BlackBerry Security Incident Response and Threat Analysis. “While successful exploitation requires several specific conditions, and there are no current attacks on customers, we recommend BlackBerry Z10 users install the latest software update to be fully protected from this issue.”
Details on the vulnerabilities as described by BlackBerry are included below:
About the Adobe Flash Update (BSRT-2013-005):
• This advisory addresses a vulnerability in Adobe Flash Player that is currently not being exploited against BlackBerry Z10 smartphone or BlackBerry PlayBook tablet customers.
• BlackBerry customer risk is limited by the BlackBerry 10 OS and the BlackBerry PlayBook Tablet OS design, which restricts an application’s access to system resources and the private data of other applications.
• Successful exploitation requires a customer to be persuaded to access maliciously created Adobe Flash content in an email or on a webpage.
• Customers using BlackBerry Q10 smartphones, BlackBerry Z10 users running version 10.0.10.648 or later and BlackBerry PlayBook tablet users running version 2.1.0.1526 or later are not affected.
About the BlackBerry Protect Update (BSRT-2013-006):
• This advisory addresses a vulnerability affecting select OS versions for BlackBerry Z10 smartphones that is currently not being exploited.
• BlackBerry customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without significant customer interaction and an attacker gaining physical access to the device.
• Successful exploitation requires an attacker to overcome several barriers, including changing a default setting to enable BlackBerry Protect, using the feature to reset the device password, and downloading a specifically crafted malicious app. In addition, the attacker would also have to gain physical access to the smartphone.
• Customers using BlackBerry Q10 smartphones and BlackBerry Z10 users running version 10.0.10.648 and later are not affected.
After installing the latest software update, BlackBerry Z10 users and BlackBerry PlayBook tablet users will be fully protected from this vulnerability, BlackBerry said.
