Vulnerabilities in WebKit browser engine impact BlackBerry 6

Article ID: KB26132

Type:   Security Advisory

First Published: 10-11-2011

Last Modified: 12-12-2011

 

Product(s) Affected:

  • BlackBerry Bold 9700
  • BlackBerry Style 9670
  • BlackBerry Bold 9780
  • BlackBerry Pearl 9100 Series
  • BlackBerry Curve 9330
  • BlackBerry Bold 9650
  • BlackBerry Torch 9800
  • BlackBerry Curve 9300
Collapse Products
ExpandAffected Software
  • BlackBerry® 6 software
ExpandNon Affected Software
  • BlackBerry Device Software versions earlier than 6.0
  • BlackBerry® 7 and later
  • BlackBerry® Enterprise Server
  • BlackBerry® Internet Service
  • BlackBerry® Desktop Manager
  • BlackBerry® Mobile Voice System
ExpandAre BlackBerry smartphones and the BlackBerry Device Software affected?
Yes. The issues affect the open source WebKit browser engine used in BlackBerry 6.
CollapseIssue Severity

These three vulnerabilities have a maximum Common Vulnerability Scoring System (CVSS) score of 6.8. See the Reference section below for details of the CVSS score and impact for each vulnerability.

CollapseOverview

This security advisory addresses three specific vulnerabilities affecting the implementation of open source WebKit technology in the BlackBerry Browser in BlackBerry 6. Successful exploitation of the vulnerabilities requires the BlackBerry smartphone user to browse to a website that the attacker has maliciously designed. A successful attack could result in remote code execution (RCE) on a smartphone running BlackBerry 6. An attacker exploiting these vulnerabilities could read or write to the built-in media storage section of a BlackBerry smartphone or to the media card but could not access user data that the email, calendar, and contact applications store in the application storage (the internal file system that stores application data and user data) of the BlackBerry smartphone.

The most severe of the three vulnerabilities has a CVSS score of 6.8. The least severe has a CVSS score of 5.0.

At this time there is no evidence of the vulnerabilities being used in attacks against the BlackBerry platform, and RIM is not aware of any impact to BlackBerry customers as a result of these vulnerabilities.

Note: KB26132 was previously published as a Security Notice to responsibly advise customers about the existence of one of the three vulnerabilities, which had been publicly disclosed, and provide workaround options in lieu of a software update to address that issue for all affected customers. This Security Advisory replaces that Security Notice and provides full details of publicly available software updates that address that issue and two related issues, and urges affected customers to upgrade.

ExpandWho should read this advisory?
  • BlackBerry smartphone users
  • BlackBerry Enterprise Server administrators
ExpandWho should apply the software fix(es)?
  • BlackBerry smartphone users
  • BlackBerry Enterprise Server administrators
ExpandRecommendation
Complete the resolution actions documented in this advisory.
ExpandReferences

View the linked CVE® Identifiers for descriptions of the WebKit security issues that this security advisory addresses:

CVE Identifier Impact CVSS score
CVE-2011-1290 RCE 6.8
RCE 6.8

CVE-2011-1202

Information disclosure 5.0

CollapseProblem

Successful exploitation of the vulnerabilities requires the BlackBerry smartphone user to browse to a website that the attacker has maliciously designed. The website could be an otherwise legitimate website that the attacker has compromised. An example of a website that could be compromised is a site that accepts or hosts user-provided HTML content or advertisements.

Best practices

Exercise caution when clicking on links to untrusted websites in browsers, email or instant messages.

ExpandImpact

A successful attack could result in remote code execution (RCE) on a smartphone running BlackBerry 6 software. An attacker could exploit the vulnerabilities to access the built-in media storage on a smartphone running BlackBerry 6. WebKit has access to data stored in the built-in media section as well as the media card (if present), but not the application storage of the BlackBerry smartphone because WebKit runs in a user mode process (a restricted process). For example, the attacker could download the BlackBerry Messenger contact list (which is stored in built-in media, unlike other contact information on the BlackBerry smartphone) as well as photos stored in the file system of that smartphone. See the Additional Details section for more details on user mode processes and the file storage system.

At this time there is no evidence of the vulnerabilities being used in attacks against the BlackBerry platform, and RIM is not aware of any impact to BlackBerry customers as a result of these vulnerabilities.

CollapseResolution

RIM has issued the following updates that resolve these vulnerabilities in BlackBerry 6. RIM recommends that all affected users apply the available software updates below to fully protect their BlackBerry smartphones.

To check for the following available updates for your BlackBerry Device Software, visit http://www.blackberry.com/updates/ or connect your BlackBerry smartphone to your BlackBerry Desktop Software to automatically check for the following updates.  

Note: If http://www.blackberry.com/updates/ or your BlackBerry Desktop Software indicates that your software is up to date but you are running an applications version earlier than the version for your BlackBerry smartphone model listed below, contact your wireless service provider to request the software update listed below.

BlackBerry smartphone model Software applications version to update to
BlackBerry Bold 9650 smartphone
BlackBerry® Curve™ 9330 smartphone
BlackBerry Style 9670 smartphone 
Version 6.0.0.522 (bundle 2321) or later
BlackBerry Bold 9700 smartphone
BlackBerry Bold 9780 smartphone
BlackBerry® Curve™ 9300 smartphone
BlackBerry Torch 9800 smartphone 
Version 6.0.0.526 (bundle 2342) or later

BlackBerry® Pearl™ 9100 smartphone
BlackBerry® Pearl™ 9105 smartphone

Version 6.0.0.526 (bundle 2343) or later

Note: BlackBerry® Bold™ 9788 smartphone users do not need to update their BlackBerry Device Software to be protected against these issues. The BlackBerry Bold 9788 smartphone minimum software version when shipped is Version 6.0.0.595 (bundle 2623) or later, which already includes the update for these issues.

CollapseWorkaround

All workarounds should be considered temporary measures for customers to employ if they cannot install the update immediately or must perform standard testing and risk analysis. RIM recommends that customers without these requirements simply install the update to secure their systems.

For users that are unable to upgrade at this time, this risk can be mitigated by temporarily disabling Javascript support in the browser or disabling the browser on the BlackBerry smartphone as directed below. Once users have upgraded their BlackBerry Device Software, they can reverse the workaround to re-enable Javascript support in the browser or re-enable the browser.

Option 1: Disable JavaScript use in the BlackBerry Browser

Users of BlackBerry 6 can disable the use of JavaScript in the BlackBerry Browser to prevent exploitation of the vulnerabilities. The issue is not in JavaScript but the use of JavaScript is necessary to exploit the vulnerabilities.

Important: Turning off JavaScript may impact the ability to view web pages, or result in a diminished browsing experience.

How to disable JavaScript support on a BlackBerry smartphone

Click the name of your BlackBerry smartphone model to view instructions for turning off JavaScript support.

How to disable JavaScript support on all BlackBerry smartphones in an enterprise

If you are a BlackBerry Enterprise Server administrator, you can turn off JavaScript support using the Disable JavaScript in Browser IT policy rule. View the BlackBerry Enterprise Server Policy Reference Guide for more information.

Important: Notify the affected users in your organization that you have made a change that will impact the ability to view web pages, or result in a diminished browsing experience on BlackBerry smartphones.

Option 2: Disable the BlackBerry Browser

If you are a BlackBerry Enterprise Server administrator, you can disable the BlackBerry Browser on BlackBerry smartphones in your organization using the Allow Browser IT policy rule and the Allow Other Browser Services IT policy rule.

To disable the BlackBerry Browser, complete the followings steps in the IT policy or policies:

  1. Click Service Exclusivity policy group.
  2. Set Allow Other Browser Services to False.
  3. Click Global items.
  4. Set Allow Browser to False.

For more information on IT policy rules, see the BlackBerry Enterprise Server Policy Reference Guide.

View more information about using an IT policy to manage BlackBerry Enterprise Solution security.

Important: If users attempt to use browsing by clicking a link in a message received before you disabled the BlackBerry Browser, the following dialog will instruct them to contact their service provider to enable the Browser. Notify the affected users in your organization that you have made a change that will hide the BlackBerry Browser icon on BlackBerry smartphones and prevent use of browsing using links in messages. 

CollapseAdditional Information

What factors affected the release of this Security Advisory?

A sufficient number of wireless service providers must make a security software update for BlackBerry smartphones publicly available to customers before RIM will publish full details of the software update in a Security Advisory. RIM delivered the software updates to its wireless service provider partners. Where a wireless service provider may not have then provided the software updates to all customers, this policy is intended to protect those customers from increased risk of exploitation. 

Within two weeks of learning of the vulnerabilities that this Security Advisory addresses RIM tested and delivered fixed software to our wireless service provider partners for their Technical Acceptance process. During the Technical Acceptance process, RIM monitored update availability for nine affected devices available through nearly 500 carriers globally until an availability level was achieved that allowed us to be confident that disclosure of the security vulnerabilities addressed by the software update would protect the interests of the majority of our customers.

RIM continues to work with our partners to expedite the process of software update delivery to BlackBerry smartphone customers.

Have any BlackBerry customers been subject to an attack that exploits any of these vulnerabilities?

No.

What technology component do these vulnerabilities affect?

The affected technology component is the open source WebKit component on BlackBerry smartphones. WebKit is a browser rendering engine designed to allow browsers to display webpages quickly. Browsers from multiple vendors on mobile, desktop and laptop platforms implement WebKit technology.

How would an attacker exploit these vulnerabilities?

Successful exploitation of the vulnerabilities requires the BlackBerry smartphone user to browse to a website that the attacker has maliciously designed. The website could be an otherwise legitimate website that the attacker has compromised. An example of a website that could be compromised is a site that accepts or hosts user-provided HTML content or advertisements.

Can an attacker exploit these vulnerabilities when I am using email on my BlackBerry smartphone?

No. The act of sending, receiving, or reading email does not allow an attacker to exploit these vulnerabilities on your BlackBerry smartphone.

What is the impact of RCE?

An RCE allows the attacker to gain a level of access similar to applications that are running in a process, which includes the ability to both read and write data on the affected system. The ability of an attacker to execute code can be limited by the application architecture and how memory and processes are managed on the device.

What is a user mode process and how does it relate to WebKit?

WebKit does not run in the context of the BlackBerry® Java® Virtual Machine (JVM). WebKit runs only in a user mode process, meaning that it has limited access to data stores on the smartphone. A user mode process can access any data in built-in media storage. Code running in the context of a user mode process has much less control of the device than code running within the operating system kernel.

How does the BlackBerry smartphone use its separate file systems?

The BlackBerry smartphone storage space consists of various sections that store BlackBerry device user data and sensitive information: application storage, built-in media storage, NV (non-volatile) store, and media card. Note that your BlackBerry smartphone may not have a media card inserted.  

Separate processes have specific levels of access to the sections of BlackBerry smartphone storage space. For example, only the operating system can access the NV store. Email and phone functionality is provided by Java applications running on the device, so data such as contacts and email are in the application storage, not built-in media storage.

For more information about the separate file systems, see ”Device storage space” in the Deleting Data From Devices Security Note for BlackBerry Device Software.   

Is turning on content protection an effective mitigation for these vulnerabilities?

While enabling content protection is a recommended best practice for BlackBerry smartphone security and does provide some level of data protection, RIM advises that it is not a comprehensive mitigation for these vulnerabilities.

What is the difference between a Security Advisory and a Security Notice on blackberry.com?

A Security Advisory publicly notifies BlackBerry customers of the availability of a fix to address a confirmed security vulnerability in BlackBerry products, and provides technical details regarding the vulnerability in combination with additional mitigations and workarounds in order to protect against the threat.

A Security Notice publicly acknowledges and notifies customers of potential security concerns for which a code level fix is not available or needed. The Security Notice may provide, if applicable, potential mitigations, workarounds, and authoritative guidance to reduce risk to BlackBerry customers.

What is CVE?

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE corporation.

What is CVSS?

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS in vulnerability assessments to present an immutable characterization of security issues. RIM assigns all security relevant issues a non-zero score.

Where can I read more about BlackBerry security?

Visit www.blackberry.com/security for more information on BlackBerry security.

CollapseAcknowledgements

RIM acknowledges the following security researchers for reporting CVE-2011-1290 to RIM: Vincenzo Iozzo, Ralf Philipp Weinmann, and Willem Pinckaers (reported via TippingPoint and the Zero Day Initiative).

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.