Vulnerabilities in Adobe Flash Player version included with the BlackBerry PlayBook tablet software

Article ID: KB27365

Type:   Security Advisory

First Published: 06-20-2011

Last Modified: 01-20-2012

 

Product(s) Affected:

  • Tablets
Collapse Products
ExpandAffected Software
Adobe® Flash® Player versions included with BlackBerry® PlayBook™ tablet software versions 1.0.5.2342 and earlier.
ExpandNon Affected Software
BlackBerry PlayBook tablet software version 1.0.6 or later.
ExpandAre BlackBerry smartphones and the BlackBerry Device Software affected?
No.
CollapseIssue Severity
These issues are in the Adobe Flash Player and affect systems that support Adobe Flash. Adobe recommends that affected users update their installations of Adobe Flash Player. Read the following Adobe security bulletins for further information on the issues:

These vulnerabilities have Common Vulnerability Scoring System (CVSS) scores that range from 4.3 to 6.8 (medium severity). See the References section below for the CVSS scores of each issue, listed by CVE® issue identifier.
CollapseOverview
This advisory addresses several issues in Adobe Flash Player, the most severe of which could result in remote code execution (RCE) within the context of an application that uses Adobe Flash. On the BlackBerry PlayBook, the BlackBerry Tablet OS is designed to restrict an application's access to system resources and the private data of other applications, which limits the risk and exposure to customers. There are no known attacks against BlackBerry PlayBook tablet users at this time. BlackBerry PlayBook tablet users who have updated the BlackBerry Tablet OS to version 1.0.6 or later are protected from the applicable Adobe Flash vulnerabilities.

Adobe Flash Player is a cross-platform, browser-based application runtime. Adobe Flash Player is created and supported by Adobe and included with the BlackBerry PlayBook tablet software.
ExpandWho should read this advisory?
  • BlackBerry PlayBook tablet users
  • IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
ExpandWho should apply the software fix(es)?
  • BlackBerry PlayBook tablet users
  • IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
ExpandRecommendation
Complete the resolution action documented in this advisory.

Best practices

RIM recommends that BlackBerry PlayBook tablet users do not click links in emails received from untrusted sources or within webpages they are otherwise directed to by untrusted sources.
ExpandReferences
View the linked CVE identifiers for descriptions of the Adobe Flash Player security issues that this security advisory addresses.

CVE identifier CVSS score
CVE-2011-0579
4.3
CVE-2011-0618
6.8
CVE-2011-0620
6.8
CVE-2011-0621
6.8
CVE-2011-0624
6.8
CVE-2011-0625
6.8
CVE-2011-0626
6.8
CVE-2011-2110
6.8

CollapseProblem

BlackBerry PlayBook tablet software that uses a vulnerable version of the Adobe Flash Player could potentially be susceptible to information disclosure or remote code execution (RCE).

Successful exploitation of any of these issues requires an attacker to craft Adobe Flash content in a stand alone Adobe Flash (.swf) application or embed Adobe Flash content in a website and then persuade the user to access the Adobe Flash content by clicking a link to the content in an email message or on a webpage.
ExpandImpact
Successful exploitation of any of these issues could potentially result in an attacker being able to execute arbitrary code (that is, achieve RCE) in the context of the application that opens the specially crafted Adobe Flash content (typically the web browser). Failed exploitation of one of these issues would likely result in abnormal or unexpected termination of the application.

While Adobe reports that the vulnerability described in bulletin APSB11-18 is being actively leveraged in attacks on users of Adobe Flash content, RIM is not aware of any attacks against BlackBerry PlayBook tablet users at this time.

Mitigations

RIM recommends that all users apply the available software update (BlackBerry PlayBook tablet software version 1.0.6) to fully protect their BlackBerry PlayBook tablet. However, prior to the software update being applied, awareness of the following mitigations may help limit the risk of exposure to an attack.

These issues are mitigated for all users by the prerequisite that the attacker must persuade the user to access the maliciously crafted Adobe Flash content by opening the Adobe Flash application or clicking a maliciously crafted link in an email message. The attacker cannot force the user to access the content or bypass the requirement that the user chooses to access the content.

These vulnerabilities are unlikely to lead to impacts beyond those listed above. The capabilities and permissions of BlackBerry PlayBook tablet applications are heavily restricted using a technique called sandboxing. Sandboxing limits the likelihood of impact to the confidentiality or integrity of other applications or the private data associated with them.
CollapseResolution
RIM has issued BlackBerry PlayBook tablet software version 1.0.6 which resolves these Adobe Flash Player vulnerabilities on affected versions of the BlackBerry PlayBook tablet. Update your BlackBerry PlayBook tablet software to version 1.0.6 or later to apply the update to the Adobe Flash Player as recommended by Adobe.

Update by Accessing the Software Update Notification

Your BlackBerry PlayBook tablet uses notifications to keep you informed about software updates. When a new software update notification comes in, it appears in the top right hand corner of the BlackBerry PlayBook status ribbon.

  1. Simply view your notifications and follow the steps to access the latest software update notification and complete the software update.

Manually Check for Software Updates

  1. From the home screen, tap  to open Options.
  2. Tap Software Updates.
  3. Tap Check for Updates.
After you update your software, the screen will indicate that you have installed BlackBerry Tablet OS version 1.0.6 or later.
CollapseWorkaround
RIM recommends that all users apply the available software update to fully protect their BlackBerry PlayBook tablet.

All workarounds should be considered temporary measures for customers to employ if they cannot install the update immediately or must perform standard testing and risk analysis. RIM recommends that customers without these requirements simply install the update to secure their systems.

For users that are unable to upgrade at this time, this risk can be mitigated by temporarily disabling all Adobe Flash content in the browser on the BlackBerry PlayBook tablet (in the browser, tap Options > Content, and set Enable Flash to Off).

Important: Turning off Adobe Flash content in the browser will impact the ability to view content on some web pages, and/or result in a diminished browsing experience.

Once users have upgraded their BlackBerry Playbook tablet software, they can re-enable Adobe Flash content in the browser (in the browser, tap Options > Content, and set Enable Flash to On).
CollapseAdditional Information

Have any BlackBerry customers been subject to an attack that exploits any of these vulnerabilities?

RIM is not aware of any attacks on or specifically targeting BlackBerry PlayBook tablet users.

Are these vulnerabilities in RIM’s BlackBerry PlayBook tablet source code?

No. The vulnerabilities are in Adobe Flash Player, a cross-platform, browser-based application runtime. Adobe Flash Player is created and supported by Adobe and included with the BlackBerry PlayBook tablet software.

Why does this security advisory only include seven of the 11 issues listed in Adobe Security Bulletin APSB11-12?

The seven issues from Adobe Security Bulletin APSB11-12 that are listed in this security advisory are the only issues from APSB11-12 that impact the BlackBerry PlayBook tablet. The other four issues are specific to other platforms (from other vendors) that use Adobe Flash.

Can a BlackBerry PlayBook tablet user update Adobe Flash Player without performing a full BlackBerry Tablet OS update?

No. The Adobe Flash Player is provided as an integral part of the BlackBerry Tablet OS installation, and they must be updated together.

Can an administrator use BlackBerry Enterprise Server IT policies to disable Adobe Flash Player on BlackBerry PlayBook tablets in an enterprise?

There are no IT policies that an administrator can use to disable Adobe Flash Player on the BlackBerry PlayBook tablet.

Does the BlackBerry PlayBook tablet force me to update my software?

No, your action is required to update the software. Your BlackBerry PlayBook tablet uses notifications to keep you informed about software updates and allows you to easily complete a software update. You can also manually check for software updates. See the Resolution section of this advisory for steps to update your software.

How can I find out what version of BlackBerry Tablet OS I am running?

From the home screen, tap the Settings icon, tap About, and view the OS Version field in the General settings.

Are new (still in the box) BlackBerry PlayBook tablets exposed to these vulnerabilities?

No. During the initial setup process, the BlackBerry PlayBook tablet will download and install the latest version of the BlackBerry Tablet OS, which will be version 1.0.6 or later. The fixes for these vulnerabilities are included in all future versions of the BlackBerry PlayBook tablet software.

What is CVE?

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE corporation.

What is CVSS?

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS for vulnerability assessments to present an immutable characterization of security issues. RIM assigns all relevant security issues a non-zero score.

Where can I read more about BlackBerry PlayBook security?

Read the BlackBerry PlayBook Security Technical Overview for more information on security features in the BlackBerry PlayBook tablet.

Where can I read more about the security of BlackBerry products and solutions?

Visit www.blackberry.com/security for more information on BlackBerry security.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.