Temporary Denial of Service in the BlackBerry Browser

Article ID: KB12577

Type:   Security Advisory

First Published: 12-09-08

Last Modified: 09-02-2010

 

Product(s) Affected:

  • BlackBerry Internet Service
Collapse Products
ExpandAffected Software
  • BlackBerry® devices
  • BlackBerry® Device Software version 4.2 and earlier

 

ExpandAre BlackBerry smartphones and the BlackBerry Device Software affected?
Yes.
CollapseIssue Severity

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 1.9.

CollapseOverview

A Denial of Service (DoS) issue exists in the BlackBerry® Browser in BlackBerry Device Software version 4.2 and earlier. Research In Motion (RIM) has corrected this problem in later releases of the BlackBerry Device Software.

While in the process of parsing a long web page address, the BlackBerry Browser uses almost all of the BlackBerry device processing capability. This may cause the BlackBerry device to become slow or to stop responding.

ExpandRecommendation
Complete the resolution actions documented in this advisory.
ExpandReferences

This article is in reference to US-CERT Advisory VU#282856.

CollapseProblem

A temporary DoS vulnerability exists in the BlackBerry Browser. The BlackBerry Browser may stop responding when parsing a long web page address.

ExpandImpact

A web site creator with malicious intent may use a Hypertext Markup Language (HTML) or Wireless Markup Language (WML) web page that contains a long string value within the link. If the BlackBerry device user accesses the link using the BlackBerry Browser, a temporary DoS may occur and the BlackBerry device may stop responding.

CollapseResolution

Install BlackBerry Device Software version 4.2 Service Pack 1 or later. Downloads are available at the following link: http://www.blackberry.com/support/downloads/index.shtml

CollapseWorkaround

If the BlackBerry Browser or BlackBerry device stops responding, do one of the following:

  • Press the Alt and Escape keys simultaneously to switch to another application on the BlackBerry device.
  • Perform a hard reset of the BlackBerry device. For instructions, see KB02141.
  • Wait for the BlackBerry device or the BlackBerry Browser to respond. This occurs after a period of time relative to the size of the link that exploited the vulnerability.
CollapseAdditional Information

CVSS

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS in vulnerability assessments to present an immutable characterization of security issues. RIM assigns all security relevant issues a non-zero score.

BlackBerry Security

Visit www.blackberry.com/security for more information on BlackBerry security.

CollapseAcknowledgements
RIM would like to acknowledge Michael Kemp (clappymonkey)  for discovering this issue and for his involvement in helping protect our customers.
CollapseChange Log

09-02-10

Updates to article formatting. No technical content changed.

03/11/07

Update due to a system upgrade that did not affect article content.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.