BlackBerry issued an advisory today that updates are available for all of its products affected by the Heartbleed OpenSSL vulnerability.
The mobile device maker said that it is not aware of any exploits targeting BlackBerry products.
BlackBerry Messenger (BBM) for Android and iPhone, as well as Secure Work Space for iOS and Android, were vulnerable to the dangerous bug, as were BlackBerry Enterprise Service 10 and BlackBerry Link users. BlackBerry smartphones are not vulnerable to Heartbleed.
“BlackBerry customer risk is limited in all cases by the requirement that an attacker first gain access to an affected product in order to then mount a successful attack,” the company said in its advisory.
BlackBerry added the risk for BBM, Secure Work Space and Link users is limited because an attacker would first need to carry out a man-in-the-middle attack capable of spoofing IP addresses.
Heartbleed was disclosed on April 7; the vulnerability is a missing bounds check in the TLS Heartbeat extension that exposes 64 KB of memory with each response. Replaying the attack can eventually leak credentials, and some researchers have managed to grab private encryption keys.
Proof-of-concept Heartbleed exploits have been available for some time, and while patches for vulnerable OpenSSL installations have also been available, hundreds of thousands of web servers (port 443) are still unpatched. Errata Security, which runs an Internet scanning project called MassScan, said this week that upwards of 318,000 remain vulnerable, down from more than 600,000.
Researcher Robert Graham wrote at Errata that during a previous scan in April, 28 million systems supported SSL, but in his most recent scan only 22 million; he surmised his Heartbleed scans could be blocked. In April, he said also, one million systems supported the heartbeat feature in question, and one-third were patched. His latest scan found 1.5 million systems, and all but 300,000 were patched.
“This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled,” Graham wrote. “Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL.”
In addition to the Heartbleed advisory, BlackBerry patched Adobe Flash remote code execution vulnerabilities in BlackBerry Z10, Q10 and Q5 smartphones, none of which are being exploited. Flash is bundled with the BlackBerry phones.
BlackBerry said the risks are limited because of the design of the BlackBerry 10 OS which restricts application access to system resources and data of other applications.
“Successful exploitation requires an attacker to craft malicious Adobe Flash content and requires that a user access the malicious content on a webpage or as a downloaded Adobe AIR application,” BlackBerry said. “If the requirements are met for exploitation, an attacker could potentially execute code with the rights of the application that opens the specially crafted malicious Flash content.”