BlackBerry’s security incident response team has issued two advisories warning Z10 smartphone and PlayBook tablet users to upgrade to the latest version of the operating system and software on both platforms. The patches address a remote code-execution vulnerability in the Adobe Flash Player integrated into the BlackBerry products, as well as a privilege escalation flaw in the BlackBerry OS.
Users and enterprise administrators are urged to upgrade their devices to BlackBerry 10 OS version 10.0.10.648 or later, and version 126.96.36.1996 of the PlayBook software.
The privilege escalation bug affects only Z10 smartphones and is not being exploited. BlackBerry said the severity limited by the amount of user interaction and physical access on the attacker’s part required to successfully exploit the vulnerability.
“Successful exploitation requires not only that a customer enable BlackBerry Protect, use the feature to reset the device password and download a specifically crafted malicious app, but also that an attacker gain physical access to the phone,” BlackBerry said in its advisory. “If all of the specific requirements are met for exploitation, an attacker could potentially access or modify data on the device.”
The vulnerability could enable a malicious application downloaded by the user to compromise weak permissions on a BlackBerry Protect object to compromise the device. By doing so, the app could gain the device password if a reset is requested through Protect; it also could prevent the device from executing commands from Protect such as remote wipe.
If all these conditions exist, an attacker could access BlackBerry Hub, applications and data, unlock the work perimeter compartment on the device, access the device over a USB tether in order to view files, change device passwords or access local and enterprise services.
BlackBerry Enterprise Server administrators are urged to disallow computer access to Work Space on the device, disallow the use of the same password for WorkSpace as for the rest of the device, require a password for Work Space, and restrict Development mode.
“BlackBerry customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without significant customer interaction and physical access to the device,” BlackBerry’s Adrian Stone, director of security incident response and threat analysis, said in a statement. “While successful exploitation requires several specific conditions, and there are no current attacks on customers, we recommend BlackBerry Z10 users install the latest software update to be fully protected from this issue.”
As for the second advisory, Adobe Flash Player versions earlier than 10.0.10.648 included with Z10 are affected while versions 188.8.131.526 on the PlayBook are impacted. Users are urged to upgrade on both platforms. BlackBerry stressed that the vulnerability is not in the operating system, nor is it being exploited in the wild.
“Successful exploitation of this issue could potentially result in an attacker being able to execute arbitrary code in the context of the application that opens the specially crafted Adobe Flash content (typically the web browser),” the advisory says. “Failed exploitation of this issue might result in abnormal or unexpected termination of the application.”
In order for an exploit to execute, the user must interact with a malicious .swf application embedded in website content or via an email attachment over webmail through a browser on one of the devices. The sandbox protection also built into both BlackBerry platforms is a mitigating factor here, BlackBerry said.
The vulnerability is described in CVE-2013-0630 as a buffer overflow in Adobe Flash Player before 10.3.183.50 and 11.x before 11.5.502.146 on Windows and Mac OS X.
Unlike on the PlayBook tablet, Flash is not enabled by default on the Z10 and users must turn it on to view Flash content on the phone’s browser, BlackBerry said.
“The attacker cannot force the user to access the content or bypass the requirement that the user chooses to access the content,” the advisory said.