BlackBerry climbed aboard the Patch Tuesday bandwagon today with four advisories patching vulnerabilities in Adobe Flash, Webkit and libexif on the company’s mobile devices.
Adrian Stone, director of BlackBerry’s security incident response and threat analysis, said the company is not aware of any attacks in the wild exploiting these vulnerabilities.
“BlackBerry is committed to protecting customers from third-party security issues,” Stone said in a statement.
BSRT-2013-007 patches remote code execution vulnerabilities in BlackBerry Z10 and Q10 smartphones and the BlackBerry PlayBook tablet. Applications running on these devices have limited access to system resources, BlackBerry said, lessening the risk to private data. An attacker would have to entice a user to view a malicious Flash file or download an Adobe AIR application to exploit the vulnerability.
“If the requirements are met for exploitation, an attacker could potentially execute code in the BlackBerry Browser,” BlackBerry said in its advisory, adding again in this context, that applications have restricted access to system resources to make this a huge risk.
BSRT-2013-009 repairs security flaws in libexif libraries on the BlackBerry PlayBook tablet. The advisory points out that multiple flaws exist in the open source EXIF tag parsing library in the tablet.
“The libexif library is an open source component used for processing EXIF metadata tags embedded in images,” the advisory says. “Successful exploitation of one or more of these vulnerabilities could result in an attacker executing code in the context of the application that opens the specially crafted image.”
Attackers exploiting the vulnerabilities would have to do so by building an image with malformed EXIF data and then enticing the user to open or save the image after it has been displayed in an email or webpage.