BSRT-2014-001 Vulnerabilites in Adobe Flash impact BlackBerry Z10 and BlackBerry Q10 smartphone and BlackBerry PlayBook tablet software

Article ID: KB35565

Type:   BlackBerry Security Advisory

First Published:

01-14-2013

Last Modified: 01-14-2014

 

Product(s) Affected:

  • BlackBerry Z10
  • BlackBerry Q10
  • BlackBerry PlayBook tablet
  • 4G LTE BlackBerry PlayBook
CollapseOverview

This advisory addresses Adobe® Flash® remote code execution vulnerabilities that are not currently being exploited but affect BlackBerry® Z10 and BlackBerry® Q10 smartphone and BlackBerry® PlayBook™ tablet customers. BlackBerry® customer risk is limited by the BlackBerry® 10 OS and BlackBerry® PlayBook™ OS design, which restricts an application's access to system resources and the private data of other applications. Successful exploitation requires an attacker to craft malicious Adobe Flash content and requires that a user access the malicious content on a webpage or as a downloaded Adobe® AIR® application. If the requirements are met for exploitation, an attacker could potentially execute code with the rights of the application that opens the specially crafted malicious Flash content. After installing the recommended software update, affected BlackBerry smartphone and BlackBerry tablet customers will be fully protected from these vulnerabilities.

Read the following Adobe security bulletin for further information on the issue:

ExpandWho should read this advisory?
  • BlackBerry Z10 and BlackBerry Q10 smartphone and BlackBerry PlayBook tablet users
  • IT administrators who deploy BlackBerry Z10 and BlackBerry Q10 smartphones and BlackBerry PlayBook tablets in an enterprise
ExpandWho should apply the software fix(es)?
  • BlackBerry Z10 and BlackBerry Q10 smartphone and BlackBerry PlayBook tablet users
  • IT administrators who deploy BlackBerry Z10 and BlackBerry Q10 smartphones and BlackBerry PlayBook tablets in an enterprise
ExpandMore Information

Have any BlackBerry customers been subject to an attack that exploits these vulnerabilities?
BlackBerry is not aware of any attacks targeting BlackBerry smartphone or BlackBerry tablet customers using these vulnerabilities.

What factors affected the release of this security advisory?
This advisory addresses publicly known Flash vulnerabilities. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers and wireless service provider partners. Publishing this advisory ensures that all of our customers can protect themselves by updating their software or employing available workarounds if updating is not possible. Customers for whom the software update is not yet available should contact their wireless service provider to request BlackBerry 10 OS version 10.1.0.1880 or later or BlackBerry PlayBook OS version 2.1.0.1753 or later.

Where can I read more about BlackBerry smartphone and BlackBerry tablet security?

For more information on security features in BlackBerry Z10 and BlackBerry Q10 smartphones and BlackBerry tablets, read the BlackBerry PlayBook tablet Security Feature Overview BlackBerry Enterprise Service 10 Security Technical Overview and the BlackBerry PlayBook Tablet Security Feature Overview.

Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit http://us.blackberry.com/business/topics/security.html and www.blackberry.com/bbsirt.

CollapseAffected Software and Resolutions
Read the following information to determine if your BlackBerry smartphone or tablet is affected.
ExpandAffected Software
  • BlackBerry 10 OS version earlier than version 10.1.0.1880
  • BlackBerry PlayBook OS earlier than version 2.1.0.1753
ExpandNon-Affected Software
  • BlackBerry 10 OS version 10.1.0.1880 and later
  • BlackBerry PlayBook OS version 2.1.0.1753 and later
ExpandAre BlackBerry smartphones affected?
Yes; BlackBerry Z10 and BlackBerry Q10 smartphones are affected.
ExpandResolution

BlackBerry has issued a fix for these vulnerabilities, which is included in BlackBerry 10 OS version 10.1.0.1880 and later, and PlayBook OS version 2.1.0.1753 and later. These software updates resolve these vulnerabilities on affected versions of BlackBerry smartphones and BlackBerry tablets. Update BlackBerry smartphones to version 10.1.0.1880 or later and BlackBerry tablets to version 2.1.0.1753 or later to be fully protected from this issue.
Note: If customers are running an affected version but do not see a software update notification and the device indicates that the software is up to date, customers can contact their wireless service provider to request BlackBerry 10 OS version 10.1.0.1880 or later, and PlayBook OS version 2.1.0.1753 or later.
See the Mitigations section of this advisory for information on how to manage potential risk until the software update is available for all customers.

Update by Accessing the Software Update Notification

BlackBerry smartphones and BlackBerry tablets use notifications to keep customers informed about software updates. When a new software update notification is available, it appears in the status ribbon at the top of the screen on BlackBerry tablets and in the Notifications section of the BlackBerry Hub on affected BlackBerry smartphones.

View the notifications and follow the steps to access the latest software update notification and complete the software update.

Manually Check for Software Updates on BlackBerry smartphones

  1. From the home screen, swipe down from the top of the screen.
  2. Tap Settings, then Software Updates.
  3. Tap Check for Updates.

Manually Check for Software Updates on BlackBerry tablets

  1. From the home screen, swipe down from the top of the screen.
  2. Tap Software Updates.
  3. Tap Check for Updates.

Customers can also update their BlackBerry smartphone software using BlackBerry® Link and their BlackBerry tablet software using BlackBerry® Desktop Software. For more information, see the Help documentation for BlackBerry Link or the Help documentation for BlackBerry Desktop Software.

ExpandMore Information

How can I find out what version of the BlackBerry 10 OS or PlayBook OS I am running?
For BlackBerry 10 OS:

  1. From the home screen, swipe down from the top of the screen.
  2. Tap Settings, then Software Updates.
  3. Tap About, and view the OS Version or Software Release field in the OS settings.

For BlackBerry Playbook OS:

  1. From the home screen, tap the Settings icon, tap About, and view the OS Version field in the General settings.

Are new (still in the box) BlackBerry Z10 and BlackBerry Q10 smartphones and BlackBerry PlayBook tablets exposed to these vulnerabilities?
As long as the customer fully completes the device setup, including the device software update, the user's device will not be affected. During the initial setup process, BlackBerry smartphones and tablets will download and install the latest version of the OS available from the customer’s carrier. The fix for these vulnerabilities is included in all versions of BlackBerry 10 OS later than version 10.1.0.1880 and in BlackBerry PlayBook OS after version 2.1.0.1753.
Note: If customers are running an affected version but do not see a software update notification, and their device indicates that the software is up to date, customers can contact their wireless service provider to request BlackBerry 10 OS version 10.1.0.1880 or later, or PlayBook OS 2.1.0.1753 or later.

Are BlackBerry® Z30 and BlackBerry® Q5 smartphones exposed to these vulnerabilities?
No. The fix for these vulnerabilities is included in all versions of the BlackBerry Z30 and BlackBerry Q5 smartphone software.

Do BlackBerry Z10 and BlackBerry Q10 smartphones and BlackBerry PlayBook tablets force me to update my software?
No, customer action is required to update the software. BlackBerry smartphones and tablets use notifications to keep customers informed about software updates and provide instructions for customers to easily install a software update. Customers can also manually check for software updates. See the Resolution section of this advisory for steps to update customer software.

Can a BlackBerry Z10 and BlackBerry Q10 smartphone and BlackBerry PlayBook tablet customer update the Adobe® Flash® Player without performing a full BlackBerry 10 OS or PlayBook OS upgrade?
No. Adobe Flash Player is provided as an integral part of the BlackBerry Z10 and BlackBerry Q10 smartphone and BlackBerry PlayBook tablet installation, and they must be updated together.

Can an administrator use BlackBerry Enterprise Server IT policies to disable Adobe Flash Player on BlackBerry 10 smartphones or BlackBerry tablets in an enterprise?
No, there are no IT policies that an administrator can use to disable the Flash Player on BlackBerry Z10 and BlackBerry Q10 smartphones and BlackBerry PlayBook tablets.

CollapseVulnerability Information

 Vulnerabilities exist in the Flash Player version supplied with affected versions of the BlackBerry 10 OS and PlayBook OS. The Flash Player is a cross-platform, browser-based application runtime.

Successful exploitation of these vulnerabilities could potentially result in an attacker executing code in the context of the application that opens the specially crafted Flash content (typically the web browser). Failed exploitation of this issue might result in abnormal or unexpected termination of the application.

In order to exploit these vulnerabilities, an attacker must craft Flash content in a stand-alone Flash (.swf) application or embed Flash content in a website. The attacker must then persuade the user to access the Flash content by clicking a link to the content in an email message or on a webpage, or loading it as part of an AIR application. The email message could be received at a webmail account that the user accesses in a browser on BlackBerry Z10 and BlackBerry Q10 smartphones and BlackBerry tablets.

These vulnerabilities have a Common Vulnerability Scoring System (CVSS) score of 6.8. View the linked CVE identifier for a description of the security issue that this security advisory addresses.

CVE identifier — CVSS score

CVE-2013-1378 — 6.8

CVE-2013-1379 — 6.8

CVE-2013-1380 — 6.8

CVE-2013-2555 — 6.8

Mitgations

Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations, and general best practices.

This issue is mitigated for all customers by the prerequisite that the attacker must persuade the customer to access the maliciously crafted Flash content by opening the Flash application or clicking a maliciously crafted link in an email message or on a web page. The attacker cannot force the customer to access the content or bypass the requirement that the customer chooses to access the content. BlackBerry recommends that customers do not click links in emails received from untrusted sources or within webpages they are otherwise directed to by untrusted sources, or load Flash applications from untrusted sources on BlackBerry smartphones and tablets.

The capabilities and permissions of BlackBerry 10 smartphone and BlackBerry tablet applications are restricted by using a technique called sandboxing. Sandboxing limits the impact of vulnerabilities in applications to the confidentiality or integrity of other applications or the private data associated with them.

ExpandWorkarounds

Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems.

For BlackBerry 10 smartphones:

For users that are unable to upgrade at this time and have enabled Flash, this risk can be mitigated by temporarily disabling all Flash content in the browser on BlackBerry smartphones (in the browser, tap Options > > Settings > Display and Actions, and set Adobe Flash to Off).

Important: Turning off Flash content in the browser will impact the ability to view content on some web pages, and result in a diminished browsing experience.

After users have upgraded their BlackBerry smartphone software, they can re-enable Flash content in the browser (in the browser, tap Options > Settings > Display and Actions, and set Adobe Flash to On or select Enable Flash in the dialogue that is shown when viewing a webpage that uses Flash, within the personal browser).

For BlackBerry tablets:

For users that are unable to upgrade at this time, this risk can be mitigated by temporarily disabling all Adobe Flash content in the browser on the BlackBerry tablet (in the browser, tap Options > Content, and set Enable Flash to Off).

Important: Turning off Flash content in the browser will impact the ability to view content on some web pages, and result in a diminished browsing experience.

After users have upgraded their BlackBerry tablet software, they can re-enable Flash content in the browser (in the browser, tap Options > Content, and set Enable Flash to On).

CollapseDefinitions

CVE
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.

CVSS
CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.

CollapseChange Log

01-14-2013

Initial publication.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.