Vulnerability exists in BlackBerry Application Web Loader ActiveX control

Article ID: KB16248

Type:   Security Advisory

First Published: 02-10-09

Last Modified: 09-02-2010

 
Collapse Products
ExpandAffected Software
  • BlackBerry® Application Web Loader Version 1.0
  • Microsoft® Internet Explorer version (all versions)
ExpandNon Affected Software

BlackBerry® Web Desktop Manager

ExpandAre BlackBerry smartphones and the BlackBerry Device Software affected?
No.
CollapseIssue Severity

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.3.

CollapseOverview

This advisory is intended to assist Research In Motion's (RIM's) customers in addressing an identified vulnerability in the BlackBerry Application Web Loader.

Issue Status: Vulnerability confirmed. Software containing security update released.

The BlackBerry Application Web Loader is a Microsoft® ActiveX® web-based application loader that third party application developers use to create web pages that enable users to install applications directly on a BlackBerry device. When a user accesses a web page that uses the BlackBerry Application Web Loader and accepts the permission prompt, the web page installs the BlackBerry Application Web Loader on the user’s computer. The BlackBerry Application Web Loader uses the .jad and .cod files stored on the web server to install an application on a BlackBerry device connected to the user’s computer.

The BlackBerry Application Web Loader ActiveX control has the following properties:

ActiveX control property

Value

Name

RIM AxLoader

Publisher

Research In Motion Limited.

File

AxLoader.ocx or AxLoader.dll

Class identifier

4788DE08-3552-49EA-AC8C-233DA52523B9

 

 

 

 

 

 

 

ExpandRecommendation
Complete the resolution actions documented in this advisory.
CollapseProblem

An exploitable buffer overflow exists in the BlackBerry Application Web Loader ActiveX control that Internet Explorer uses to install applications on BlackBerry devices.

ExpandImpact

When a BlackBerry device user browses to a web site that is designed to install the BlackBerry Application Web Loader ActiveX control on BlackBerry devices over a USB connection, and clicks Yes to install and run the ActiveX control, the ActiveX control introduces the vulnerability to the computer. 

CollapseResolution
To resolve the issue, install a version of the BlackBerry Application Web Loader that does not include the vulnerability.

Install the updated version of the BlackBerry Application Web Loader

  1. Click the link to download the BlackBerry Application Web Loader v1.1.
  2. Complete the installation wizard.

Install additional fix to protect ActiveX controls from misuse in Internet Explorer

Microsoft has issued the following Security Bulletins and software updates for critical security vulnerabilities related to ActiveX controls. For further protection against the issue described in this security advisory, review and install all of the Microsoft updates listed below:

Date of issue Link to security bulletin and software updates
October 13, 2009

MS09-060: Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office could allow remote code execution

September 8, 2009

Microsoft Security Bulletin MS09-037 - Critical - Cumulative Security Update for Internet Explorer

See the Microsoft Knowledge Base article How to stop an ActiveX control from running in Internet Explorer (Article ID: 240797) for more information about options for disabling, and removing ActiveX controls.

CollapseWorkaround

Remove the ActiveX control from Internet Explorer and then disable the ActiveX control to prevent Internet Explorer from reinstalling the ActiveX control.  

Remove the ActiveX control from Internet Explorer

  1. Open Internet Explorer.
  2. Click Tools > Internet Options.
  3. Under Temporary Internet Files click Settings.
  4. Click View Objects.
  5. Locate RIM AxLoader in the Program Files list:
    • If there is more than one RIM AxLoader file listed, right-click each file and select Properties. Verify which file has ID 4788DE08-3552-49EA-AC8C-233DA52523B9.
  6. Right-click the RIM AxLoader file that has ID 4788DE08-3552-49EA-AC8C-233DA52523B9, and click Remove.
  7. Right-click RIM AxLoader and click Remove.
  8. Click Yes.
  9. Restart Internet Explorer.

Disable the ActiveX control

Use the Registry Editor to set a registry key for the ActiveX control that uses a specific Compatibility Flags DWORD value. This prevents Internet Explorer from calling that ActiveX control, if it exists, unless the Initialize and script ActiveX controls not marked as safe option is enabled in Internet Explorer, or from reinstalling that ActiveX control at the request of another web site.

  1. Use the Registry Editor to browse to the following location:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
  2. Verify whether the key {4788DE08-3552-49EA-AC8C-233DA52523B9} exists:
    • If the key exists, continue to step 3.
    • If the key does not exist, click Edit > New > Key. Rename the new key to {4788DE08-3552-49EA-AC8C-233DA52523B9}, the class identifier of the ActiveX control.
  3. If the key {4788DE08-3552-49EA-AC8C-233DA52523B9 } does not exist, c lick Edit > New > Key.
  4. Rename the key to {4788DE08-3552-49EA-AC8C-233DA52523B9 }, the class identifier of the ActiveX control.
  5. Click {4788DE08-3552-49EA-AC8C-233DA52523B9}. Click Edit > New > DWORD value.
  6. Rename the DWORD value to Compatibility Flags.
  7. Click Compatibility Flags. Click Edit > Modify.
  8. Set the Value data field to 00000400.
  9. Restart Internet Explorer.
CollapseAdditional Information

CVE

Common Vulnerabilities and Exposures ( CVE ) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE corporation .

CVSS

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS in vulnerability assessments to present an immutable characterization of security issues. RIM assigns all security relevant issues a non-zero score.

BlackBerry Security

Visit www.blackberry.com/security for more information on BlackBerry security.

BlackBerry Application Web Loader

See the BlackBerry Application Web Loader Developer Guide for more information about the BlackBerry Application Web Loader.

CollapseAcknowledgements

eEye Digital Security, working with CERT/CC, identified this vulnerability.

RIM would like to acknowledge Microsoft  for including the killbit(s) from this security update in the Advisory . Customers should primarily look to RIM’s security update to resolve this issue. RIM would like to thank Microsoft for their involvement in helping protect our customers.

The update from Microsoft is also available through Microsoft Update , Windows Update , or Office Update , or from the Microsoft Download Center .  

CollapseChange Log

09-02-10

Updates to article formatting. No technical content changed.

10-20-09

Article updated to link to the latest ActiveX control fix from Microsoft. For further details, see the Resolution section.

09-16-09

Article updated to link to the latest ActiveX control fix from Microsoft. For further details, see the Resolution section.

07-31-09

Article updated to recommend applying an additional ActiveX control fix from Microsoft for protection against the issue described in this advisory. For further details, see the Resolution section.

02-11-09

Article updated to n ote that the BlackBerry Web Desktop Manager is unaffected by the issue described in this advisory.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.