BSRT-2013-007 Vulnerabilities in Adobe Flash Player version included with the BlackBerry Z10 and BlackBerry Q10 and BlackBerry PlayBook tablet software

Article ID: KB34774

Type:   BlackBerry Security Advisory

First Published: 09-10-2013

Last Modified: 09-10-2013

 
CollapseOverview

This advisory addresses several Adobe® Flash® Player remote code execution vulnerabilities that are not currently being exploited but affect BlackBerry® Z10 and BlackBerry® Q10 smartphones and BlackBerry® PlayBook™ tablets. BlackBerry customer risk is limited by the BlackBerry® 10 OS and the BlackBerry® tablet OS design, which restricts an application's access to system resources and the private data of other applications. Successful exploitation requires that an attacker craft malicious Adobe Flash content that they must then persuade the customer to access on a webpage, or as a downloaded Adobe AIR application. If these specific requirements are met, an attacker could potentially execute arbitrary code in the context of the application that opens the specially crafted Adobe Flash content. After installing the latest software update, BlackBerry Z10, BlackBerry Q10 and BlackBerry PlayBook tablet customers will be fully protected from these vulnerabilities.

Read the following Adobe security bulletins for further information on the issue:

ExpandWho should read this advisory?
  • BlackBerry Z10 smartphone users
  • BlackBerry Q10 smartphone users
  • BlackBerry PlayBook tablet users
  • IT administrators who deploy BlackBerry 10 smartphones in an enterprise
  • IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
ExpandWho should apply the software fix(es)?
  • BlackBerry Z10 smartphone users
  • BlackBerry Q10 smartphone users
  • BlackBerry PlayBook tablet users
  • IT administrators who deploy BlackBerry Z10 smartphones in an enterprise
  • IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
ExpandMore Information

Have any BlackBerry customers been subject to an attack that exploits these vulnerabilities?
BlackBerry is not aware of any attacks on or specifically targeting BlackBerry Z10 smartphone, BlackBerry Q10 smartphone or BlackBerry PlayBook tablet customers using these Adobe vulnerabilities.

What factors affected the release of this security advisory?
This advisory addresses publicly known Adobe vulnerabilities. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers and wireless service provider partners. Publishing this advisory ensures that all of our customers can protect themselves by either updating their software, or employing available workarounds if updating is not possible. Customers for whom the software update is not yet available should be aware of the availble mitigations included in this advisory,and contact their wireless service provider to request BlackBerry 10 OS version 10.1.0.1720 or later and/or BlackBerry Tablet OS version 2.1.0.1753 or later.

Where can I read more about BlackBerry Z10 smartphone, BlackBerry Q10 smartphone and BlackBerry PlayBook tablet security?
Read the BlackBerry PlayBook tablet Security Feature Overview and the BlackBerry Enterprise Service 10 Security Technical Overview for more information on security features in the BlackBerry PlayBook tablet.

Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit http://us.blackberry.com/business/topics/security.html.

CollapseAffected Software and Resolutions

Customers can read the following lists to determine if their BlackBerry Z10 smartphone, BlackBerry Q10 smartphone or BlackBerry PlayBook tablet are affected.

ExpandAffected Software
  • Adobe Flash Player versions included with BlackBerry 10 OS earlier than version 10.1.0.1720
  • Adobe Flash Player versions included with BlackBerry PlayBook tablet software earlier than version 2.1.0.1753
ExpandNon-Affected Software
  • BlackBerry 10 OS version 10.1.0.1720 or later
  • BlackBerry 7 OS and earlier
  • BlackBerry PlayBook tablet software version 2.1.0.1753 or later
ExpandAre BlackBerry smartphones affected?
Yes.
ExpandResolution

BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry 10 OS version 10.1.0.1720 and later and BlackBerry PlayBook tablet software version 2.1.0.1753 and later. These software updates resolve these Adobe Flash Player vulnerabilities on affected versions of BlackBerry Z10 smartphones, BlackBerry Q10 smartphones and the BlackBerry PlayBook tablet. Customers should update their BlackBerry Z10 smartphone and/or BlackBerry Q10 smartphone to BlackBerry 10 OS version 10.1.0.1720 or later and/or their BlackBerry PlayBook tablet software to version 2.1.0.1753 or later to be fully protected from these issues.

Both the BlackBerry 10 OS update and the BlackBerry PlayBook tablet update include all previously released security updates for Adobe Flash Player.

Note: If customers are running a BlackBerry Z10 smartphone OS version earlier than 10.1.0.1720, or a cellular-enabled BlackBerry tablet OS version earlier than 2.1.0.1753 but do not see a software update notification but their device indicates that the software is up to date, customers can contact their wireless service provider to request BlackBerry Z10 smartphone OS version 10.1.0.1720 or BlackBerry Tablet OS version 2.1.0.1753 or later.

See the Mitigations section of this advisory for information on how to mitigate potential risk until the software update is available for all customers.

Update by Accessing the Software Update Notification

BlackBerry Z10 smartphones and BlackBerry PlayBook tablets use notifications to keep customers informed about software updates. When a new software update notification is available, it appears in the status ribbon at the top of the screen on the BlackBerry PlayBook tablet, and within the Notifications section of the BlackBerry Hub on a BlackBerry Z10 smartphone.
Simply view the notifications and follow the steps to access the latest software update notification and complete the software update.

Manually Check for Software Updates on BlackBerry Z10 smartphones

  1. From the home screen, swipe down from the top of the screen.
  2. Tap Settings, then Software Updates.
  3. Tap Check for Updates.

Manually Check for Software Updates on the BlackBerry PlayBook tablet

  1. From the home screen, swipe down from the top of the screen.
  2. Tap Software Updates.
  3. Tap Check for Updates.

Customers can also update their BlackBerry Z10 smartphone software using BlackBerry® Link and their BlackBerry tablet software using BlackBerry® Desktop Software. For more information, see the Help documentation for BlackBerry Link or the Help documentation for BlackBerry Desktop Software.

After customers update their software, the screen will indicate that BlackBerry 10 OS version 10.1.0.1720 or later and/or BlackBerry Tablet OS version 2.1.0.1720 or later is installed on the device.

ExpandMore Information

How can I find out what version of the BlackBerry 10 OS I am running?
For BlackBerry Z10 and BlackBerry Q10 smartphones:

  1. From the home screen, swipe down from the top of the screen.
  2. Tap  Settings.
  3. Tap About, and view the OS Version or Software Release field in the General settings.

For the BlackBerry PlayBook tablet:

  1. From the home screen, swipe down from the top of the screen.
  2. Tap About, and view the OS Version.

Are new (still in the box) BlackBerry Z10 and BlackBerry Q10 smartphones and BlackBerry PlayBook tablets exposed to this vulnerability?
As long as the user fully completes the device setup, including the device software update, the user’s tablet will not be affected. During the initial setup process, the BlackBerry Z10 smartphone, BlackBerry Q10 smartphone and the BlackBerry PlayBook tablet will download and install the latest version of the OS available from the customer’s carrier. The fix for this vulnerability is included in all versions of the BlackBerry Z10 smartphone software after version 10.1.0.1720 and the BlackBerry tablet software after 2.1.0.1753.
Note: If customers are running a BlackBerry Z10 smartphone OS version earlier than 10.1.0.1720, or a cellular-enabled BlackBerry tablet OS version earlier than 2.1.0.1753 but do not see a software update notification but their device indicates that the software is up to date, customers can contact their wireless service provider to request BlackBerry Z10 smartphone OS version 10.1.0.1720 or BlackBerry Tablet OS version 2.1.0.1753 or later.

Is the BlackBerry Q5 smartphone exposed to this vulnerability?
No. The fix for this vulnerability is included in all versions of the BlackBerry Q5 smartphone software.

Does the BlackBerry Z10 smartphone, BlackBerry Q10 smartphone and/or BlackBerry PlayBook tablet force me to update my software?
No, your action is required to update the software. Your BlackBerry Z10 smartphone, BlackBerry Q10 smartphone and/or BlackBerry PlayBook tablet use notifications to keep you informed about software updates and provide instructions for you to easily install a software update. You can also manually check for software updates. See the Resolution section of this advisory for steps to update your software.

Can a BlackBerry Z10 smartphone customer, BlackBerry Q10 smartphone customer and/or BlackBerry PlayBook tablet customer update Adobe Flash Player without performing a full OS update?
No. Adobe Flash Player is provided as an integral part of both the BlackBerry 10 OS and the BlackBerry Tablet OS installation, and they must be updated together.

Can an administrator use BlackBerry Enterprise Server IT policies to disable Adobe Flash Player on BlackBerry 10 devices and/or BlackBerry PlayBook tablets in an enterprise?
No, there are no IT policies that an administrator can use to disable Adobe Flash Player on a BlackBerry Z10 smartphone, BlackBerry Q10 smartphone or the BlackBerry PlayBook tablet.

CollapseVulnerability Information

Multiple vulnerabilities exist in the Adobe Flash player version included with affected versions of BlackBerry Z10 smartphone, BlackBerry Q10 smartphone and BlackBerry PlayBook tablet software.

Successful exploitation of these issues could potentially result in an attacker being able to execute arbitrary code (that is, achieve RCE) in the context of the application that opens the specially crafted Adobe Flash content (typically the web browser). Failed exploitation of this issue might result in abnormal or unexpected termination of the application.

An attacker must craft Adobe Flash content in a stand-alone Adobe Flash (.swf) application or embed Adobe Flash content in a website. The attacker must then persuade the user to access the Adobe Flash content by clicking a link to the content in an email message or on a webpage or loaded as part of an Adobe AIR application. The email message could be received at a webmail account that the user accesses in a browser on a BlackBerry Z10 smartphone, BlackBerry Q10 smartphone and/or the BlackBerry PlayBook tablet.

These vulnerabilities all have a Common Vulnerability Scoring System (CVSS) score of 6.8. For a description of the Adobe Flash Player security issues that this security advisory addresses, see the CVE® identifiers.

CVE identifier — CVSS Score
CVE-2013-0633 — 6.8
CVE-2013-0634 — 6.8
CVE-2013-0637 — 6.8
CVE-2013-0638 — 6.8
CVE-2013-0639 — 6.8
CVE-2013-0642 — 6.8
CVE-2013-0644 — 6.8
CVE-2013-0645 — 6.8
CVE-2013-0646 — 6.8
CVE-2013-0647 — 6.8
CVE-2013-0648 — 6.8
CVE-2013-0649 — 6.8
CVE-2013-0650 — 6.8
CVE-2013-1365 — 6.8
CVE-2013-1366 — 6.8
CVE-2013-1367 — 6.8
CVE-2013-1368 — 6.8
CVE-2013-1369 — 6.8
CVE-2013-1370 — 6.8
CVE-2013-1371 — 6.8
CVE-2013-1372 — 6.8
CVE-2013-1373 — 6.8
CVE-2013-1374 — 6.8
CVE-2013-1375 — 6.8

Mitigations

BlackBerry PlayBook

These issues are mitigated for all customers by the prerequisite that the attacker must persuade the customer to access the maliciously crafted Adobe Flash content by opening the Adobe Flash application or clicking a maliciously crafted link in an email message or on a web page. The attacker cannot force the customer to access the content or bypass the requirement that the customer chooses to access the content. BlackBerry recommends that customers do not click links in emails received from untrusted sources or within webpages they are otherwise directed to by untrusted sources, or load Adobe Flash applications from untrusted sources on the BlackBerry PlayBook tablet.

The capabilities and permissions of BlackBerry PlayBook tablet applications are heavily restricted using a technique called sandboxing. Sandboxing limits the impact of vulnerabilities in applications to the confidentiality or integrity of other applications or the private data associated with them.

BlackBerry Z10 and BlackBerry Q10 smartphone

Adobe Flash is not enabled by default on a BlackBerry Z10 and/or BlackBerry Q10 smartphone. A customer must enable Adobe Flash to view Flash content within the browser.
These issues are mitigated for all customers by the prerequisite that the attacker must persuade the customer to access the maliciously crafted Adobe Flash content by opening the Adobe Flash application or clicking a maliciously crafted link in an email message or on a web page. The attacker cannot force the customer to access the content or bypass the requirement that the customer chooses to access the content. BlackBerry recommends that customers do not click links in emails received from untrusted sources or within webpages they are otherwise directed to by untrusted sources, or load Adobe Flash applications from untrusted sources on the BlackBerry Z10 smartphone and/or BlackBerry Q10.

The capabilities and permissions of the BlackBerry Z10 and BlackBerry Q10 smartphone applications are heavily restricted using a technique called sandboxing. Sandboxing limits the likelihood of impact to the confidentiality or integrity of other applications or the private data associated with them.
 

ExpandWorkarounds

BlackBerry recommends that all customers apply the available software updates to fully protect their BlackBerry Z10 smartphone, BlackBerry Q10 smartphone and/or BlackBerry PlayBook tablets.

All workarounds should be considered temporary measures for customers to employ if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers without these requirements install the update to secure their systems.

BlackBerry PlayBook tablet

For users that are unable to upgrade at this time, this risk can be mitigated by temporarily disabling all Adobe Flash content in the browser on the BlackBerry PlayBook tablet (in the browser, tap Options > Content, and set Enable Flash to Off).

Important: Turning off Adobe Flash content in the browser will impact the ability to view content on some web pages, and result in a diminished browsing experience.

Once users have upgraded their BlackBerry PlayBook tablet software, they can re-enable Adobe Flash content in the browser (in the browser, tap Options > Content, and set Enable Flash to On).

BlackBerry Z10 and BlackBerry Q10 smartphone

For users that are unable to upgrade at this time and have enabled Adobe Flash, this risk can be mitigated by temporarily disabling all Adobe Flash content in the browser on the BlackBerry Z10 and/or BlackBerry Q10 smartphone (in the browser, tap Options > > Settings > Display and Actions, and set Adobe Flash to Off).

Important: Turning off Adobe Flash content in the browser will impact the ability to view content on some web pages, and result in a diminished browsing experience.

Once users have upgraded their BlackBerry Z10 and/or BlackBerry Q10 smartphone software, they can re-enable Adobe Flash content in the browser (in the browser, tap Options > Settings > Display and Actions, and set Adobe Flash to On or select Enable Flash in the dialogue that is shown when viewing a webpage that uses Flash, within the personal browser).

CollapseDefinitions

CVE

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.

CVSS

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

CollapseChange Log

09-10-2013

Initial publication.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.