BSRT-2012-002 Vulnerability in WebKit browser engine impacts BlackBerry 6, BlackBerry 7, BlackBerry 7.1, and BlackBerry PlayBook tablet software

Article ID: KB30152

Type:   Security Notice

First Published: 03-02-2012

Last Modified: 03-02-2012

 

Product(s) Affected:

  • BlackBerry Bold 9700
  • BlackBerry Curve 9360
  • BlackBerry Torch 9850
  • BlackBerry Curve 9380
  • BlackBerry Torch 9810
  • BlackBerry Bold 9650
  • BlackBerry Torch 9800
  • BlackBerry Curve 9300
  • BlackBerry Curve 9350
  • BlackBerry Bold 9900
  • BlackBerry PlayBook tablets
  • BlackBerry Bold 9780
  • BlackBerry Pearl 9100 Series
  • BlackBerry Curve 9330
  • BlackBerry Bold 9790
  • BlackBerry Bold 9930
  • BlackBerry Curve 9370
  • BlackBerry Torch 9860
Collapse Products
ExpandAffected Third-Party Components

The affected technology component is the open source WebKit browser engine used in BlackBerry 6® OS, BlackBerry 7 OS and 7.1 OS, and BlackBerry PlayBook tablet software (all versions).

CollapseIssue Severity

On BlackBerry smartphones running BlackBerry 6, BlackBerry 7, and BlackBerry 7.1, this vulnerability has a Common Vulnerability Scoring System (CVSS) score of 6.8.

On the BlackBerry PlayBook tablet, this vulnerability has a CVSS score of 7.5.

CollapseOverview

RIM has confirmed the report of a vulnerability impacting BlackBerry smartphones and the BlackBerry PlayBook tablet as presented at the RSA Security Conference in San Francisco on February 29, 2012. This vulnerability affects the implementation of open source WebKit technology in BlackBerry smartphones running BlackBerry 6, BlackBerry 7 and BlackBerry 7.1, and all versions of the BlackBerry PlayBook tablet.

This security notice addresses mitigations and workarounds that affected BlackBerry customers can implement to help protect themselves from this vulnerability.  Further details of how the vulnerability affects BlackBerry smartphones running BlackBerry 6, BlackBerry 7 and BlackBerry 7.1, and all versions of the BlackBerry PlayBook tablet software are described below.

Who should read this notice

  • BlackBerry Enterprise Server administrators
  • BlackBerry smartphone users using BlackBerry 6, BlackBerry 7, and BlackBerry 7.1
  • BlackBerry PlayBook tablet users
  • IT administrators who deploy BlackBerry PlayBook tablets in an enterprise

Details of the vulnerability demonstrated at the RSA Security Conference have not been made public at this time, and there is no evidence of the vulnerability being used in attacks against the BlackBerry platform. RIM is not aware of any impact to BlackBerry customers as a result of this vulnerability and is working to release software security updates to address it.

BlackBerry 6, BlackBerry 7, and BlackBerry 7.1

Successful exploitation of this vulnerability requires the BlackBerry smartphone user to browse to a website that the attacker has maliciously designed. A successful attack could result in remote code execution (RCE) on a smartphone running BlackBerry 6, BlackBerry 7, and BlackBerry 7.1. An attacker exploiting this vulnerability could read or write to the built-in media storage section of a BlackBerry smartphone or to the media card. The attacker cannot access user data that the email, calendar, and contact applications store in the application storage (the internal file system that stores application data and user data) of the BlackBerry smartphone.

BlackBerry PlayBook tablet software (all versions)

The following describes the results of successful exploitation on the various browser and email options for the BlackBerry PlayBook.

BlackBerry PlayBook browser

Successful exploitation of the vulnerability on the BlackBerry PlayBook browser requires the BlackBerry PlayBook user to browse to a website that the attacker has maliciously designed. A successful attack could result in RCE in the context of the browser on a BlackBerry PlayBook using the BlackBerry PlayBook browser.

Bridge Browser

A BlackBerry PlayBook tablet that is connected to the smartphone using BlackBerry® Bridge can use the Bridge Browser to browse the Internet or intranet in BlackBerry Bridge mode. Successful exploitation of the vulnerability on the Bridge Browser requires a BlackBerry PlayBook user to browse to a website that the attacker has maliciously designed. A successful attack could result in RCE in the context of the Bridge Browser on a BlackBerry PlayBook.

Android® Runtime

Successful exploitation of this vulnerability using Android Runtime requires that the BlackBerry PlayBook user has downloaded an Android Runtime application that uses the WebKit browser engine, and uses the app to browse to a website that the attacker has maliciously designed. A successful attack could result in RCE in the context of that application.

Messages app (BlackBerry PlayBook 2.0 only)

Successful exploitation of this vulnerability using the built in Messages app on the BlackBerry PlayBook 2.0 requires that the BlackBerry PlayBook user do one of the following:

  • Preview or open an email message containing content that the attacker has maliciously designed.
  • Preview or open an email message and click a link that points to a maliciously designed website.

A successful attack could result in RCE in the context of the Messages app.

BlackBerry Bridge email app

Successful exploitation of this vulnerability using the BlackBerry Bridge email app on the BlackBerry PlayBook 2.0 requires that the BlackBerry PlayBook user do one of the following:

  • Preview or open an email message containing content that the attacker has maliciously designed.
  • Preview or open an email message and click a link that points to a maliciously designed website.

A successful attack could result in RCE in the context of the BlackBerry Bridge email app.

CollapseWorkaround

All workarounds should be considered temporary measures for customers to employ if they cannot install an update immediately or must perform standard testing and risk analysis.

Restrict BlackBerry smartphone users to only browse trusted websites via BlackBerry MDS Connection Service

BlackBerry Enterprise Server administrators can force all browser traffic in their organization to use the BlackBerry MDS Connection Service to restrict browsing to their organization's intranet or to specific trusted sites. Administrators can configure the BlackBerry MDS Connection Service to use a proxy or web filtering service to block untrusted sites. The steps will also prevent the browser from failing over to unrestricted browsing via the BlackBerry Internet Service if the user's BlackBerry Enterprise Server is unavailable. If this occurs, the user sees the error message, "A communication failure occurred with the selected Mobile Data Service. The server may be busy, please try again later. If the problem persists contact your administrator".

To force traffic through the BlackBerry MDS Connection Service, BlackBerry Enterprise Server administrators need to complete the following steps:

  1. Click Browser policy group
  2. Set the Allow IBS Browser to No.
  3. Set the Allow Hotspot Browser to Disallow.
  4. Click Device only policy group
  5. Set the Enable WAP Config to No.
  6. Click Service Exclusivity policy group
  7. Set the Allow Other Browser Services to No.
  8. Click Global policy group
  9. Set the Allow Browser to Yes.
  10. Configure the Mobile Data Service to use a proxy or web filtering service. (See KB15673 for more information).

 

Disable the BlackBerry Browser

If you are a BlackBerry Enterprise Server administrator, you can disable the BlackBerry Browser on BlackBerry smartphones in your organization using the Allow Browser IT policy rule and the Allow Other Browser Services IT policy rule.

To disable the BlackBerry Browser, complete the followings steps in the IT policy or policies:

  1. Click Service Exclusivity policy group.
  2. Set Allow Other Browser Services to False.
  3. Click Global items.
  4. Set Allow Browser to False.

For more information on IT policy rules, see the BlackBerry Enterprise Server Policy Reference Guide.

View more information about using an IT policy to manage BlackBerry Enterprise Solution security.

Important: If users attempt to use browsing by clicking a link in a message received before you disabled the BlackBerry Browser, the following dialog will instruct them to contact their service provider to enable the Browser. Notify the affected users in your organization that you have made a change that will hide the BlackBerry Browser icon on BlackBerry smartphones and prevent use of browsing using links in messages.

Mitigations

Mitigations for this vulnerability are as follows:

BlackBerry 6, BlackBerry 7 and BlackBerry 7.1

  • WebKit does not run in the context of the BlackBerry® Java® Virtual Machine (JVM). WebKit runs only in a user mode process, meaning that it has limited access to data stores on the smartphone. A user mode process can access any data in built-in media storage. Code running in the context of a user mode process has much less control of the device than code running within the operating system kernel.
  • The attacker has no way to force exploitation of the vulnerability without user interaction as the user must visit a maliciously crafted website.

BlackBerry PlayBook tablet

  • WebKit runs only in a user process, meaning that it has limited access to data stores on the PlayBook. Code running in the context of a user process has much less control of the device than code running within the operating system kernel.
CollapseAdditional Information

Have any BlackBerry customers been subject to an attack that exploits this vulnerability?

At this time there is no evidence of the vulnerability being used in attacks against the BlackBerry platform, and RIM is not aware of any impact to BlackBerry customers as a result of this vulnerability.

How would an attacker exploit this vulnerability?

Depending on the affected product, successful exploitation of the vulnerability requires the user to either browse to a website that the attacker has maliciously designed, or preview or open an email containing a link to the website. The website could be an otherwise legitimate website that the attacker has compromised. An example of a website that could be compromised is a site that accepts or hosts user-provided HTML content or advertisements.

What technology component does this vulnerability affect?

The affected technology component is the open source WebKit component used on BlackBerry smartphones running BlackBerry 6, BlackBerry 7 and 7.1, and on BlackBerry PlayBook tablet software. WebKit is a browser rendering engine designed to allow browsers to display webpages quickly. Browsers from multiple vendors on mobile, desktop and laptop platforms implement WebKit technology.

What is the impact of RCE?

An RCE allows the attacker to gain a level of access similar to applications that are running in a process, which includes the ability to both read and write data on the affected system. The ability of an attacker to execute code can be limited by the application architecture and how memory and processes are managed on the device.

Is the BlackBerry Enterprise Server affected?

No. Only products that ship with the open source WebKit browser engine are affected.

What is the difference between a Security Advisory and a Security Notice on blackberry.com?

A Security Advisory publicly notifies BlackBerry customers of the availability of a fix to address a confirmed security vulnerability in BlackBerry products, and provides technical details regarding the vulnerability in combination with additional mitigations and workarounds in order to protect against the threat.
A Security Notice publicly acknowledges and notifies customers of potential security concerns for which a code level fix is not available or needed. The Security Notice may provide, if applicable, potential mitigations, workarounds, and authoritative guidance to reduce risk to BlackBerry customers.

For information on BlackBerry security, visit www.blackberry.com/security.

What is CVSS?

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS for vulnerability assessments to present an immutable characterization of security issues. RIM assigns all relevant security issues a non-zero score.
Visit www.blackberry.com/security for more information on BlackBerry security.

BlackBerry smartphones only

Can an attacker exploit these vulnerabilities when I am using email on my BlackBerry smartphone?

No. The act of sending, receiving, or reading email does not allow an attacker to exploit these vulnerabilities on your BlackBerry smartphone.

What is a user mode process and how does it relate to WebKit?

WebKit does not run in the context of the BlackBerry® Java® Virtual Machine (JVM). WebKit runs only in a user mode process, meaning that it has limited access to data stores on the smartphone. A user mode process can access any data in built-in media storage. Code running in the context of a user mode process has much less control of the device than code running within the operating system kernel.

How does the BlackBerry smartphone use its separate file systems?

The BlackBerry smartphone storage space consists of various sections that store BlackBerry device user data and sensitive information: application storage, built-in media storage, NV (non-volatile) store, and media card. Note that your BlackBerry smartphone may not have a media card inserted.

Separate processes have specific levels of access to the sections of BlackBerry smartphone storage space. For example, only the operating system can access the NV store. Email and phone functionality is provided by Java applications running on the device, so data such as contacts and email are in the application storage, not built-in media storage.

For more information about the separate file systems, see ”Device storage space” in the Deleting Data From Devices Security Note for BlackBerry Device Software.

Is turning on content protection an effective mitigation for these vulnerabilities?

While enabling content protection is a recommended best practice for BlackBerry smartphone security and does provide some level of data protection, RIM advises that it is not a comprehensive mitigation for these vulnerabilities.

BlackBerry smartphones and BlackBerry PlayBook tablet

How could an attacker use a message to a user to launch an attack that exploits this issue?

The most common scenario on a BlackBerry smartphone involves the user receiving a hyperlink to a malicious website either through SMS, email, or BBM. Clicking the link and visiting the malicious site allows exploitation of the WebKit issue. It is also possible for the vulnerability to be triggered when viewing a maliciously crafted email in the preview pane of the Messaging app on the BlackBerry PlayBook 2.0.

What can the attacker gain access to if a user clicks the malicious link?

The attacker would have the same permissions as the application used to browse the website. Applications, as well as the native WebKit based web browsers on BlackBerry devices, run in a sandbox with reduced permissions. Using this vulnerability by itself will not gain the attacker root level permissions on the device.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.