Vulnerability in Adobe Flash Player version included with the BlackBerry PlayBook tablet software

Article ID: KB27240

Type:   Security Advisory

First Published:

11-06-2011

 

Last Modified: 01-20-2012

 

Product(s) Affected:

  • Tablets
Collapse Products
ExpandAffected Software
  • Adobe® Flash® Player versions included with the BlackBerry® PlayBook™ tablet software versions 1.0.5.2304 and earlier
ExpandNon Affected Software
  • BlackBerry PlayBook tablet software version 1.0.5.2342 or later
ExpandAre BlackBerry smartphones and the BlackBerry Device Software affected?
No.
CollapseIssue Severity

The issue is in the Adobe Flash Player and affects systems that support Adobe Flash. Adobe recommends that affected users update their installations of Adobe Flash Player. Read Adobe Security Bulletin APSB11-13, Security update available for Adobe Flash Player for full details of the issues.

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 4.3.

CollapseOverview

A vulnerability identified in Adobe Flash Player affects the BlackBerry PlayBook tablet software.

Adobe Flash Player is a cross-platform, browser-based application runtime. Adobe Flash Player is created and supported by Adobe and included with the BlackBerry PlayBook tablet software.

ExpandWho should read this advisory?
  • BlackBerry PlayBook tablet users
  • IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
ExpandWho should apply the software fix(es)?
  • BlackBerry PlayBook tablet users
  • IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
ExpandRecommendation

Complete the resolution action documented in this advisory.

Best practices

RIM recommends that BlackBerry PlayBook tablet users do not click links in emails received from untrusted sources or within webpages they are otherwise directed to by untrusted sources.

ExpandReferences

CVE® Identifier: CVE-2011-2107

CollapseProblem

This cross-site scripting vulnerability could be used to perform actions on behalf of a BlackBerry PlayBook tablet user on any website or webmail provider if the user visits a maliciously crafted website that loads Adobe Flash content.

Successful exploitation of this vulnerability requires an attacker to craft Adobe Flash content in a stand alone Adobe Flash (.swf) application or embed Adobe Flash content in a website and then persuade the user to access the Adobe Flash content by clicking a link to the content in an email message or on a webpage. The email message could be received at a webmail account that the user accesses in a browser on the BlackBerry PlayBook tablet.

ExpandImpact

Successful exploitation of this vulnerability could result in the attacker leveraging sensitive information from the browser session of the compromised website without the knowledge of the BlackBerry PlayBook tablet user. Adobe reports that this vulnerability is being exploited in active targeted attacks on users of Adobe Flash content.

RIM is not aware of any attacks on or specifically targetting BlackBerry PlayBook tablet users.

Mitigations

RIM recommends that all users apply the available software update to fully protect their BlackBerry PlayBook tablet. However, prior to the software update being applied, awareness of the following mitigations may help limit the risk of exposure to an attack.

This issue is mitigated for all users by the prerequisite that the attacker persuade the user to access the maliciously crafted Adobe Flash content by opening the Adobe Flash application or clicking a maliciously crafted link in an email message. The attacker cannot force the user to access the content or bypass the requirement that the user choose to access the content.

This vulnerability is unlikely to lead to impacts beyond cross-site request forgery (a scenario where an attack uses a legitimate user's credentials to perform unwanted actions on behalf of the user on a website to which the user is authenticated). The capabilities and permissions of the BlackBerry PlayBook tablet web browser are heavily restricted using a technique called sandboxing. Sandboxing limits the likelihood of impact to the confidentiality or integrity of enterprise data stored on the BlackBerry PlayBook tablet or a BlackBerry smartphone that is paired with the tablet using BlackBerry Bridge. If the vulnerability is successfully exploited while the user is using the BlackBerry Bridge application, there is a risk that an attacker could use the legitimate user's credentials to perform unwanted actions on websites within the enterprise network.

CollapseResolution

RIM has issued BlackBerry PlayBook tablet software version 1.0.5.2342 which resolves this Adobe Flash Player vulnerability on affected versions of the BlackBerry PlayBook tablet. Update your BlackBerry PlayBook tablet software to version 1.0.5.2342 or later to apply the update to Adobe Flash Player as recommended by Adobe. 

Update By Accessing the Software Update Notification

Your BlackBerry PlayBook tablet uses notifications to keep you informed about software updates. When a new software update notification comes in, it appears in the top right hand corner of the BlackBerry PlayBook status ribbon.

  1. Simply view your notifications and follow the steps to access the latest software update notification and complete the software update.

Manually Check for Software Updates

  1. From the home screen, tap  to open Settings.
  2. Tap Software Updates.
  3. Tap Check for Updates.

After you update your software, the screen will indicate that you have installed BlackBerry Tablet OS version 1.0.5.2342 or later.

CollapseWorkaround

RIM recommends that all users apply the available software update to fully protect their BlackBerry PlayBook tablet.

All workarounds should be considered temporary measures for customers to employ if they cannot install the update immediately or must perform standard testing and risk analysis. RIM recommends that customers without these requirements simply install the update to secure their systems.

For users that are unable to upgrade at this time, this risk can be mitigated by temporarily disabling all Adobe Flash content in the browser on the BlackBerry PlayBook tablet (in the browser, tap Options > Content, and set Enable Flash to Off).

Important: Turning off Adobe Flash content in the browser will impact the ability to view content on some web pages, and/or result in a diminished browsing experience.

Once users have upgraded their BlackBerry Playbook tablet software, they can re-enable Adobe Flash content in the browser (in the browser, tap Options > Content, and set Enable Flash to On).

CollapseAdditional Information

Have any BlackBerry customers been subject to an attack that exploits this vulnerability?

RIM is not aware of any attacks on or specifically targeting BlackBerry PlayBook tablet users.

Is this a vulnerability in RIM’s BlackBerry PlayBook tablet source code?

No. The vulnerability is in Adobe Flash Player, a cross-platform, browser-based application runtime. Adobe Flash Player is created and supported by Adobe and included with the BlackBerry PlayBook tablet software.

Can a BlackBerry PlayBook tablet user update Flash Player without performing a full BlackBerry Tablet OS update?

No. The Adobe Flash Player is provided as an integral part of the BlackBerry Tablet OS installation, and they must be updated together.

Can an administrator use BlackBerry Enterprise Server IT policies to disable Adobe Flash Player on BlackBerry PlayBook tablets in an enterprise?

There are no IT policies that an administrator can use to disable Adobe Flash Player on the BlackBerry PlayBook tablet.

Can an attacker access enterprise data if a successful attack is performed by getting the user to click a link in the BlackBerry PlayBook tablet web browser?

No.

Does the BlackBerry PlayBook tablet force me to update my software?

No, your action is required to update the software. Your BlackBerry PlayBook tablet uses notifications to keep you informed about software updates and allows you to easily complete a software update. You can also manually check for software updates. See the Resolution section of this advisory for steps to update your software.

How can I find out what version of BlackBerry Tablet OS I am running?

From the home screen, tap the Settings icon, tap About, and view the OS Version field in the General settings.

I already have version 1.0.5 of the of BlackBerry Tablet OS. Do I need to update my software?

Yes, you need to update to version 1.0.5.2342 or later to be protected against the vulnerability.

Are new (still in the box) BlackBerry PlayBooks exposed to this vulnerability?

No. During the initial setup process, the BlackBerry PlayBook tablet will download and install the latest version of the BlackBerry PlayBook Tablet OS, which will be version 1.0.5.2342 or later. The fix for the vulnerability is included in all future versions of the BlackBerry PlayBook tablet software.

What is CVE?

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE corporation.

CVSS

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS for vulnerability assessments to present an immutable characterization of security issues. RIM assigns all relevant security issues a non-zero score.

Where can I read more about BlackBerry PlayBook security?

Read the BlackBerry PlayBook Security Technical Overview for more information on security features in the BlackBerry PlayBook tablet.

Where can I read more about the security of BlackBerry products and solutions?

Visit www.blackberry.com/security for more information on BlackBerry security.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.