BlackBerry Issues Fixes to Address Third-party Security Issues

Joining Microsoft who patched 47 security vulnerabilities across its product portfolio, and Adobe who issued security fixes for its products, BlackBerry on Tuesday issued four fixes that affect third party software running on its mobile devices.

BlackBerry’s Security Incident Response Team (BBSIRT) released four security updates that address Adobe Flash Player, WebKit and libexif vulnerabilities.

BlackBerry said it is not aware of any active attacks against customers using these vulnerabilities.

“BlackBerry is committed to protecting customers from third-party security issues, and we recommend that all customers apply the latest software updates to protect their devices from these Adobe Flash, Webkit and libexif vulnerabilities,” Adrian Stone, Director, BlackBerry Security Incident Response and Threat Analysis said in a statement.

(Related: Listen to SecurityWeek’s recent podcast with Adrian Stone)

BlackBerry provided the following information detailing the four security advisories issued today:

Adobe Flash Update (BSRT-2013-007):

• This advisory addresses several Adobe Flash Player remote code execution vulnerabilities that are not currently being exploited but affect BlackBerry Z10 and BlackBerry Q10 smartphones and BlackBerry PlayBook tablets.

• BlackBerry customer risk is limited by the BlackBerry 10 OS and the BlackBerry tablet OS design, which restricts an application’s access to system resources and the private data of other applications.

• Successful exploitation requires that an attacker craft malicious Adobe Flash content that they must then persuade the customer to access on a webpage, or as a downloaded Adobe AIR application.

First WebKit Update (BSRT-2013-008):

• This security advisory addresses a WebKit remote code execution vulnerability that is not currently being exploited but affects BlackBerry Z10 smartphone and BlackBerry PlayBook tablet customers.

• BlackBerry customer risk is limited by the BlackBerry 10 OS and the BlackBerry tablet OS design, which restricts an application’s access to system resources and the private data of other applications.

• Successful exploitation requires an attacker to create a malicious website or compromise a legitimate website, and requires that a BlackBerry Z10 smartphone or BlackBerry tablet user view a webpage containing the malicious JavaScript content.

libexif Update (BSRT-2013-009):

• This advisory addresses libexif library vulnerabilities that are not currently being exploited but affect BlackBerry PlayBook tablet customers.

• BlackBerry customer risk is limited by the BlackBerry tablet OS design, which restricts an application’s access to system resources and the private data of other applications.

• Successful exploitation requires an attacker to craft a malicious image file and also requires that a user opens or saves this image file from an email or website.

Second WebKit Update (BSRT-2013-010):

• This advisory addresses a WebKit remote code execution vulnerability that is not currently being exploited but affects BlackBerry Z10 smartphone customers.

• BlackBerry customer risk is limited by the BlackBerry 10 OS design, which restricts an application’s access to system resources and the private data of other applications.

• Successful exploitation requires an attacker to create a malicious website or compromise a legitimate website, and requires that a BlackBerry Z10 smartphone user view a webpage containing the malicious JavaScript content.

More information is available via BBSIRT’s website.