BSRT-2013-010 Vulnerability in Webkit browser engine impacts BlackBerry Z10 smartphone software

Article ID: KB35021

Type:   BlackBerry Security Advisory

First Published: 09-10-2013

Last Modified: 09-10-2013

 
CollapseOverview

This advisory addresses a WebKit remote code execution vulnerability that is not currently being exploited but affects BlackBerry® Z10 smartphone customers. BlackBerry customer risk is limited by the BlackBerry® 10 OS design, which restricts an application's access to system resources and the private data of other applications. Successful exploitation requires an attacker to create a malicious website or compromise a legitimate website, and requires that a BlackBerry Z10 smartphone user view a webpage containing the malicious JavaScript content. If all of the specific requirements are met for exploitation, an attacker could potentially execute code in the BlackBerry Browser. After installing the recommended software update, affected BlackBerry Z10 customers will be fully protected from this vulnerability.

ExpandWho should read this advisory?
  • BlackBerry Z10 smartphone users
  • IT administrators who deploy BlackBerry Z10 smartphones in an enterprise
ExpandWho should apply the software fix(es)?
  • BlackBerry Z10 smartphone users
  • IT administrators who deploy BlackBerry Z10 smartphones in an enterprise
ExpandMore Information

Have any BlackBerry customers been subject to an attack that exploits this vulnerability?
BlackBerry is not aware of any attacks on, or specifically targeting, BlackBerry Z10 smartphone customers using this vulnerability.

What factors affected the release of this security advisory?
This advisory addresses a publicly known WebKit vulnerability. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers and wireless service provider partners. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or implementing mitigations included in this advisory until the software update is available to them.  BlackBerry Z10 smartphone customers for whom the software update is not yet available should contact their wireless service provider to request BlackBerry 10 OS version 10.1.0.1392 or later.

Where can I read more about BlackBerry Z10 smartphone security?
Read the BlackBerry Enterprise Service 10 Security Technical Overview for more information on security features in the BlackBerry Z10 smartphone.

Where can I read more about the security of BlackBerry products and solutions?
Visit http://us.blackberry.com/business/topics/security.html for more information on BlackBerry security.

CollapseAffected Software and Resolutions

Customers can read the following lists to determine if their BlackBerry Z10 smartphone is affected.

ExpandAffected Software
  • BlackBerry 10 OS earlier than version 10.1.0.1392
ExpandNon-Affected Software
  • BlackBerry 10 OS version 10.1.0.1392 or later
  • BlackBerry 7 OS and earlier
  • BlackBerry® PlayBook™ tablet software
ExpandAre BlackBerry smartphones affected?
Yes; only BlackBerry Z10 smartphones are affected.
ExpandResolution

BlackBerry has issued a fix for this vulnerability, which is included in BlackBerry 10 OS 10.1.0.1392. The software update resolves this vulnerability on affected versions of BlackBerry Z10 smartphones. Customers should update their BlackBerry Z10 smartphone to BlackBerry 10 OS version 10.1.0.1392 or later to be fully protected from this issue.

Note: Customers who are running a BlackBerry 10 OS version earlier than 10.1.0.1392 but do not see a software update notification, and whose device indicates that the software is up to date, should contact their wireless service provider to request BlackBerry 10 OS version 10.1.0.1392 or later.

See the Mitigations section of this advisory for information on how to mitigate potential risk until the software update is available for all customers.

Update by Accessing the Software Update Notification

BlackBerry Z10 smartphones use notifications to keep customers informed about software updates. When a new software update notification is available, it appears within the Notifications section of the BlackBerry Hub on a BlackBerry Z10 smartphone.

Simply view the notifications and follow the steps to access the latest software update notification and complete the software update.

Manually Check for Software Updates on BlackBerry Z10 smartphones

  1. From the home screen, swipe down from the top of the screen.
  2. Tap Settings, then Software Updates.
  3. Tap Check for Updates.

Customers can also update their BlackBerry Z10 smartphone software using BlackBerry® Link. For more information, see the Help documentation for BlackBerry Link.

After customers update their software, the screen will indicate that BlackBerry 10 OS version 10.1.0.1392 or later is installed on the device.

ExpandMore Information

How can I find out what version of the BlackBerry 10 OS I am running?

  1. From the home screen, swipe down from the top of the screen.
  2. Tap Settings.
  3. Tap About, and view the OS Version or Software Release field in the OS settings.

Are new (still in the box) BlackBerry Z10 smartphones exposed to this vulnerability?
During the initial setup process, the BlackBerry Z10 smartphone will download and install the latest version of the OS available from the user’s carrier. The fix for this vulnerability is included in all versions of the BlackBerry Z10 smartphone software after version 10.1.0.1392.

Note: If customers are running a BlackBerry 10 OS version earlier than 10.1.0.1392 but do not see a software update notification but their device indicates that the software is up to date, customer can contact their wireless service provider to request BlackBerry 10 OS version 10.1.0.1392 or later.

Are BlackBerry Q10 and Q5 smartphones exposed to this vulnerability?
No. The fix for this vulnerability is included in all versions of the BlackBerry Q10 and Q5 smartphone software.

Does the BlackBerry Z10 smartphone force me to update my software?
No, customer action is required to update the software. BlackBerry Z10 smartphones use notifications to keep customers  informed about software updates and provide instructions to easily install a software update. Customers  can also manually check for software updates. See the Resolution section of this advisory for steps to update the software.

CollapseVulnerability Information

A vulnerability exists in the JavaScriptCore component of the open source WebKit browser engine included in affected versions of the BlackBerry Z10 smartphone. The JavaScriptCore component interprets and executes JavaScript in the browser. Successful exploitation of the vulnerability could result in an attacker executing code in the context of the web browser.

In order to exploit this vulnerability, an attacker must place maliciously crafted JavaScript on a website; the website could be an otherwise legitimate website that the attacker has compromised. An example of a website that could be compromised is a site that accepts or hosts user-provided JavaScript content or advertisements. The attacker must then persuade the user to access the webpage containing maliciously crafted JavaScript using the BlackBerry Z10 smartphone browser.

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 6.8. For a description of the WebKit security issue that this security advisory addresses, see the CVE® identifier CVE-2013-1000.

Mitigations

The capabilities and permissions of BlackBerry Z10 smartphone applications are restricted using a technique called sandboxing. Sandboxing limits the impact of vulnerabilities in applications to the confidentiality or integrity of other applications or the private data associated with them.

In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit these vulnerabilities through the BlackBerry Browser and then convince a user to view the website, or the attacker could take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit these vulnerabilities. In all cases, however, an attacker would have no way to force users to view the attacker-controlled content.
 

ExpandWorkarounds

BlackBerry recommends that all users apply the available software update to fully protect their BlackBerry Z10 smartphone.

All workarounds should be considered temporary measures for customers to employ if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers without these requirements install the update to secure their systems.

There are no workarounds for this vulnerability. BlackBerry recommends that all users apply the available software update to fully protect their BlackBerry Z10 smartphone .

CollapseDefinitions

CVE

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.

CVSS

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

CollapseChange Log

09-10-2013

Initial publication.

 

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.