BlackBerry climbed aboard the Patch Tuesday bandwagon today with four advisories patching vulnerabilities in Adobe Flash, Webkit and libexif on the company’s mobile devices.
Adrian Stone, director of BlackBerry’s security incident response and threat analysis, said the company is not aware of any attacks in the wild exploiting these vulnerabilities.
“BlackBerry is committed to protecting customers from third-party security issues,” Stone said in a statement.
BSRT-2013-007 patches remote code execution vulnerabilities in BlackBerry Z10 and Q10 smartphones and the BlackBerry PlayBook tablet. Applications running on these devices have limited access to system resources, BlackBerry said, lessening the risk to private data. An attacker would have to entice a user to view a malicious Flash file or download an Adobe AIR application to exploit the vulnerability.
BSRT-2013-008 addresses vulnerabilities in WebKit running on the Z10 and PlayBook tablet. Users on these devices would have to land on a malicious website and view malicious javascript in order to exploit the vulnerabilities.
“If the requirements are met for exploitation, an attacker could potentially execute code in the BlackBerry Browser,” BlackBerry said in its advisory, adding again in this context, that applications have restricted access to system resources to make this a huge risk.
Another WebKit issue has been patched as well on the Z10 smartphone that would allow an attacker to remotely run code. According to the advisory, the vulnerability is in the JavaScriptCore component.
“The JavaScriptCore component interprets and executes JavaScript in the browser,” BlackBerry said. “Successful exploitation of the vulnerability could result in an attacker executing codeĀ in the context of the web browser.”
BSRT-2013-009 repairs security flaws in libexif libraries on the BlackBerry PlayBook tablet. The advisory points out that multiple flaws exist in the open source EXIF tag parsing library in the tablet.
“The libexif library is an open source component used for processing EXIF metadata tags embedded in images,” the advisory says. “Successful exploitation of one or more of these vulnerabilities could result in an attacker executing code in the context of the application that opens the specially crafted image.”
Attackers exploiting the vulnerabilities would have to do so by building an image with malformed EXIF data and then enticing the user to open or save the image after it has been displayed in an email or webpage.
