Vulnerabilities in Adobe Flash Player version included with the BlackBerry PlayBook tablet

Article ID: KB28400

Type:   Security Advisory

First Published: 10-06-2011

Last Modified: 06-11-2012

 

Product(s) Affected:

  • BlackBerry PlayBook tablets
Collapse Products
ExpandAffected Software
Adobe® Flash® Player versions included with BlackBerry® PlayBook™ tablet software versions 1.0.7.2942 and earlier.
ExpandNon Affected Software
BlackBerry PlayBook tablet software version 1.0.7.3312 or later.
ExpandAre BlackBerry smartphones and the BlackBerry Device Software affected?
No.
CollapseIssue Severity

These issues are in the Adobe Flash Player and affect systems that support Adobe Flash. Adobe recommends that affected users update their installations of Adobe Flash Player. Read the following Adobe security bulletin for further information on the issues:

These vulnerabilities have Common Vulnerability Scoring System (CVSS) scores that range from 4.3 to 6.8 (high severity). See the References section below for the CVSS score of each issue, listed by CVE® issue identifier.

CollapseOverview

This advisory addresses several vulnerabilities in Adobe Flash Player, the most severe of which could result in remote code execution (RCE) within the context of an application that uses Adobe Flash. One of the vulnerabilities is a cross-site scripting vulnerability that could be used to perform actions on behalf of a BlackBerry PlayBook tablet user on any website or webmail provider if the user visits a maliciously crafted website that loads Adobe Flash content.

On the BlackBerry PlayBook, the BlackBerry Tablet OS is designed to restrict an application's access to system resources and the private data of other applications, which limits the risk and exposure to customers. There are no known attacks against BlackBerry PlayBook tablet users at this time. BlackBerry PlayBook tablet users who have updated the BlackBerry Tablet OS to version 1.0.7.3312 or later are protected from the applicable Adobe Flash vulnerabilities.

ExpandWho should read this advisory?
  • BlackBerry PlayBook tablet users
  • IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
ExpandWho should apply the software fix(es)?
  • BlackBerry PlayBook tablet users
  • IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
ExpandRecommendation

Complete the resolution actions documented in this advisory.

Best practices

RIM recommends that BlackBerry PlayBook tablet users do not click links in emails received from untrusted sources or within webpages they are otherwise directed to by untrusted sources.

ExpandReferences

View the linked CVE identifiers for descriptions of the Adobe Flash Player security issues that this security advisory addresses.

CVE identifier CVSS score
CVE-2011-2426 6.8
CVE-2011-2427 6.8
CVE-2011-2428 6.8
CVE-2011-2429 5.0
CVE-2011-2430 6.8
CVE-2011-2444 4.3

CollapseProblem

BlackBerry PlayBook tablet software that uses a vulnerable version of the Adobe Flash Player could potentially be susceptible to remote code execution (RCE).

Successful exploitation of any of these issues requires an attacker to craft Adobe Flash content in a stand alone Adobe Flash (.swf) application or embed Adobe Flash content in a website and then persuade the user to access the Adobe Flash content by clicking a link to the content in an email message or on a webpage.

ExpandImpact

Successful exploitation of any of these issues could potentially result in an attacker being able to execute arbitrary code (that is, achieve RCE) in the context of the application that opens the specially crafted Adobe Flash content (typically the web browser). Failed exploitation of one of these issues might result in abnormal or unexpected termination of the application.

While Adobe reports that one of the vulnerabilities described in bulletin APSB11-26 is being actively leveraged in attacks on users of Adobe Flash content, RIM is not aware of any attacks against BlackBerry PlayBook tablet users at this time.


Mitigations

RIM recommends that all users apply the available software update (BlackBerry PlayBook tablet software version 1.0.7.3312) to fully protect their BlackBerry PlayBook tablet. However, prior to the software update being applied, awareness of the following mitigations may help limit the risk of exposure to an attack.

These issues are mitigated for all users by the prerequisite that the attacker must persuade the user to access the maliciously crafted Adobe Flash content by opening the Adobe Flash application or clicking a maliciously crafted link in an email message. The attacker cannot force the user to access the content or bypass the requirement that the user chooses to access the content.

These vulnerabilities are unlikely to lead to impacts beyond those listed above. The capabilities and permissions of BlackBerry PlayBook tablet applications are heavily restricted using a technique called sandboxing. Sandboxing limits the likelihood of impact to the confidentiality or integrity of other applications or the private data associated with them.

CollapseResolution

RIM has issued BlackBerry PlayBook tablet software version 1.0.7.3312 which resolves these Adobe Flash Player vulnerabilities on affected versions of the BlackBerry PlayBook tablet. Update your BlackBerry PlayBook tablet software to version 1.0.7.3312 or later to apply the update to Adobe Flash Player as recommended by Adobe.

Note: This BlackBerry PlayBook tablet update includes all previously released security updates for Adobe Flash Player on the BlackBerry Tablet OS. See Additional Information for a list of previously addressed Adobe Security Bulletins.

Update by Accessing the Software Update Notification

Your BlackBerry PlayBook tablet uses notifications to keep you informed about software updates. When a new software update notification comes in, it appears in the BlackBerry PlayBook status ribbon at the top of the screen.

Simply view your notifications and follow the steps to access the latest software update notification and complete the software update.

Manually Check for Software Updates

  1. From the home screen, tap  to open Options.
  2. Tap Software Updates.
  3. Tap Check for Updates.

After you update your software, the screen will indicate that you have installed BlackBerry Tablet OS version 1.0.7.3312 or later.

CollapseWorkaround

RIM recommends that all users apply the available software update to fully protect their BlackBerry PlayBook tablet.

All workarounds should be considered temporary measures for customers to employ if they cannot install the update immediately or must perform standard testing and risk analysis. RIM recommends that customers without these requirements simply install the update to secure their systems.

For users that are unable to upgrade at this time, this risk can be mitigated by temporarily disabling all Adobe Flash content in the browser on the BlackBerry PlayBook tablet (in the browser, tap Options > Content, and set Enable Flash to Off).

Important: Turning off Adobe Flash content in the browser will impact the ability to view content on some web pages, and/or result in a diminished browsing experience.

Once users have upgraded their BlackBerry PlayBook tablet software, they can re-enable Adobe Flash content in the browser (in the browser, tap Options > Content, and set Enable Flash to On).

CollapseAdditional Information

Have any BlackBerry customers been subject to an attack that exploits any of these vulnerabilities?

RIM is not aware of any attacks on or specifically targeting BlackBerry PlayBook tablet users.

Are these vulnerabilities in RIM’s BlackBerry PlayBook tablet source code?

No. The vulnerabilities are in Adobe Flash Player, a cross-platform, browser-based application runtime. Adobe Flash Player is created and supported by Adobe and included with the BlackBerry PlayBook tablet software.

Can a BlackBerry PlayBook tablet user update Adobe Flash Player without performing a full BlackBerry Tablet OS update?

No. The Adobe Flash Player is provided as an integral part of the BlackBerry Tablet OS installation, and they must be updated together.

Can an administrator use BlackBerry Enterprise Server IT policies to disable Adobe Flash Player on BlackBerry PlayBook tablets in an enterprise?

There are no IT policies that an administrator can use to disable Adobe Flash Player on the BlackBerry PlayBook tablet.

Does the BlackBerry PlayBook tablet force me to update my software?

No, your action is required to update the software. Your BlackBerry PlayBook tablet uses notifications to keep you informed about software updates and allows you to easily complete a software update. You can also manually check for software updates. See the Resolution section of this advisory for steps to update your software.

How can I find out what version of BlackBerry Tablet OS I am running?

From the home screen, tap the Settings icon, tap About, and view the OS Version field in the General settings.

Are new (still in the box) BlackBerry PlayBook tablets exposed to these vulnerabilities?

No. During the initial setup process, the BlackBerry PlayBook tablet will download and install the latest version of the BlackBerry Tablet OS, which will be version 1.0.7.3312 or later. The fixes for these vulnerabilities are included in all future versions of the BlackBerry PlayBook tablet software.

Which previous Adobe Flash vulnerabilities does this cumulative BlackBerry PlayBook tablet update include?

This update includes the fixes for Adobe Security Bulletin APSB11-26 and fixes for the vulnerabilities described in the following previous Adobe Security Bulletins:

What is CVE?

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE corporation.

What is CVSS?

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS for vulnerability assessments to present an immutable characterization of security issues. RIM assigns all relevant security issues a non-zero score.

Where can I read more about BlackBerry PlayBook security?

Read the BlackBerry PlayBook Security Technical Overview for more information on security features in the BlackBerry PlayBook tablet.

Where can I read more about the security of BlackBerry products and solutions?

Visit http://www.blackberry.com/security for more information on BlackBerry security.

CollapseChange Log

06-04-2012

Updates to article formatting. No technical content changed.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.