Adobe® Flash® Player versions included with BlackBerry® PlayBook™ tablet software versions 184.108.40.2068 and earlier.
BlackBerry PlayBook tablet software version 220.127.116.118 or later.
Note: BlackBerry PlayBook tablet software version 18.104.22.1688 is no longer available. The current available software version is BlackBerry PlayBook tablet software version 22.214.171.1242.
These issues are in the Adobe Flash Player and affect systems that support Adobe Flash. Adobe recommends that affected users update their installations of Adobe Flash Player. Read the following Adobe security bulletins for further information on the issues:
- Adobe Security Bulletin APSB12-03, Security update available for Adobe Flash Player
- Adobe Security Bulletin APSB12-05, Security update available for Adobe Flash Player
- Adobe Security Bulletin APSB12-07, Security update available for Adobe Flash Player
- Adobe Security Bulletin APSB12-09, Security update available for Adobe Flash Player
These vulnerabilities have Common Vulnerability Scoring System (CVSS) scores that range from 4.3-6.8. See the References section below for the CVSS scores of each issue, listed by CVE® issue identifier.
This advisory addresses several issues in Adobe Flash Player, the most severe of which could result in remote code execution (RCE) within the context of an application that uses Adobe Flash (such as the BlackBerry PlayBook browser).
On the BlackBerry PlayBook, the BlackBerry Tablet OS is designed to restrict an application's access to system resources and the private data of other applications, which limits the risk and exposure to customers. There are no known attacks against BlackBerry PlayBook tablet users at this time.
The latest available software update that addresses the issues in this advisory is BlackBerry PlayBook tablet software version 126.96.36.1992. RIM recommends that all users apply the latest available software update to fully protect their BlackBerry PlayBook tablets. BlackBerry PlayBook tablet software version 188.8.131.528 was briefly available for BlackBerry PlayBook tablet users to update to, but is no longer available. BlackBerry PlayBook tablet users who successfully updated the BlackBerry Tablet OS to version 184.108.40.2068 or later are fully protected from these vulnerabilities.
Adobe Flash Player is a cross-platform, browser-based application runtime. Adobe Flash Player is created and supported by Adobe and included with the BlackBerry PlayBook tablet software.
- BlackBerry PlayBook tablet users
- IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
- BlackBerry PlayBook tablet users
- IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
RIM recommends that BlackBerry PlayBook tablet users do not click links in emails received from untrusted sources or within webpages they are otherwise directed to by untrusted sources.
View the linked CVE identifiers for descriptions of the Adobe Flash Player security issues that this security advisory addresses.
|CVE identifier||CVSS score|
BlackBerry PlayBook tablet software that uses a vulnerable version of the Adobe Flash Player could potentially be susceptible to remote code execution (RCE).
Successful exploitation of these issues requires an attacker to craft Adobe Flash content in a stand alone Adobe Flash (.swf) application or embed Adobe Flash content in a website and then persuade the user to access the Adobe Flash content by clicking a link to the content in an email message or on a webpage. The email message could be received at a webmail account that the user accesses in a browser on the BlackBerry PlayBook tablet.
Successful exploitation of any of these issues could potentially result in an attacker being able to execute arbitrary code (that is, achieve RCE) in the context of the application that opens the specially crafted Adobe Flash content (typically the web browser). Failed exploitation of this issue might result in abnormal or unexpected termination of the application.
While Adobe reports that the vulnerabilities described in bulletin APSB12-09 are being actively leveraged in attacks on users of Adobe Flash content, RIM is not aware of any attacks against BlackBerry PlayBook tablet users at this time.
RIM recommends that all users apply the available software update (BlackBerry PlayBook tablet software version 220.127.116.112) to fully protect their BlackBerry PlayBook tablet. However, prior to the software update being applied, awareness of the following mitigations may help limit the risk of exposure to an attack.
These issues are mitigated for all users by the prerequisite that the attacker must persuade the user to access the maliciously crafted Adobe Flash content by opening the Adobe Flash application or clicking a maliciously crafted link in an email message or on a webpage. The attacker cannot force the user to access the content or bypass the requirement that the user chooses to access the content.
These vulnerabilities are unlikely to lead to impacts beyond those listed above. The capabilities and permissions of BlackBerry PlayBook tablet applications are heavily restricted using a technique called sandboxing. Sandboxing limits the likelihood of impact to the confidentiality or integrity of other applications or the private data associated with them.
RIM has issued BlackBerry PlayBook tablet software version 18.104.22.1682, which resolves these vulnerabilities on affected versions of the BlackBerry PlayBook tablet. Update your BlackBerry PlayBook tablet software to version 22.214.171.1242 or later to apply the update to Adobe Flash Player as recommended by Adobe.
BlackBerry PlayBook tablet software version 126.96.36.1998 also addressed the issues and was briefly available for BlackBerry PlayBook tablet users to update to, but is no longer available.
Note: This BlackBerry PlayBook tablet update includes all previously released security updates to the BlackBerry Tablet OS.
Update by Accessing the Software Update Notification
Your BlackBerry PlayBook tablet uses notifications to keep you informed about software updates. When a new software update notification comes in, it appears in the BlackBerry PlayBook status ribbon at the top of the screen.
Simply view your notifications and follow the steps to access the latest software update notification and complete the software update.
Manually Check for Software Updates
- From the home screen, tap the icon to open Options.
- Tap Software Updates.
- Tap Check for Updates.
After you update your software, the screen will indicate that you have installed BlackBerry Tablet OS version 188.8.131.522 or later
All workarounds should be considered temporary measures for customers to employ if they cannot install the update immediately or must perform standard testing and risk analysis. RIM recommends that customers without these requirements simply install the update to secure their systems.
For users that are unable to upgrade at this time, this risk can only be mitigated by temporarily disabling all Adobe Flash content in the browser on the BlackBerry PlayBook tablet (in the browser, tap Options > Content, and set Enable Flash to Off).
Important: Turning off Adobe Flash content in the browser will impact the ability to view content on some web pages, and/or result in a diminished browsing experience.
Once users have upgraded their BlackBerry PlayBook tablet software, they can re-enable Adobe Flash content in the browser (in the browser, tap Options > Content, and set Enable Flash to On).
Why was BlackBerry PlayBook tablet software version 184.108.40.2068 removed?
BlackBerry PlayBook tablet software version 220.127.116.118 was removed due to an issue unrelated to the security update included with it. RIM recommends that all users update to the latest available software update (version 18.104.22.1682) to fully protect their BlackBerry PlayBook tablets.
Are BlackBerry Playbook tablet users that successfully updated to BlackBerry PlayBook tablet software version 22.214.171.1248 still vulnerable?
No. BlackBerry PlayBook tablet users that successfully updated to BlackBerry PlayBook tablet software version 126.96.36.1998 are fully protected from these Adobe Flash vulnerabilities.
Have any BlackBerry customers been subject to an attack that exploits these vulnerabilities?
RIM is not aware of any attacks on or specifically targeting BlackBerry PlayBook tablet users.
Are these vulnerabilities in RIM’s BlackBerry PlayBook tablet source code?
No. These vulnerabilities are in Adobe Flash Player, a cross-platform, browser-based application runtime. Adobe Flash Player is created and supported by Adobe and included with the BlackBerry PlayBook tablet software.
Can a BlackBerry PlayBook tablet user update Adobe Flash Player without performing a full BlackBerry Tablet OS update?
No. The Adobe Flash Player is provided as an integral part of the BlackBerry Tablet OS installation, and they must be updated together.
Can an administrator use BlackBerry Enterprise Server IT policies to disable Adobe Flash Player on BlackBerry PlayBook tablets in an enterprise?
There are no IT policies that an administrator can use to disable Adobe Flash Player on the BlackBerry PlayBook tablet.
Does the BlackBerry PlayBook tablet force me to update my software?
No, your action is required to update the software. Your BlackBerry PlayBook tablet uses notifications to keep you informed about software updates and allows you to easily complete a software update. You can also manually check for software updates. See the Resolution section of this advisory for steps to update your software.
How can I find out what version of BlackBerry Tablet OS I am running?
From the home screen, tap the Settings icon, tap About, and view the OS Version field in the General settings.
Are new (still in the box) BlackBerry PlayBook tablets exposed to these vulnerabilities?
No. During the initial setup process, the BlackBerry PlayBook tablet will download and install the latest version of the BlackBerry Tablet OS, which will be version 188.8.131.522 or later. The fixes for these vulnerabilities are included in all future versions of the BlackBerry PlayBook tablet software.
What is CVE?
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE corporation.
What is CVSS?
CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS for vulnerability assessments to present an immutable characterization of security issues. RIM assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.
Where can I read more about BlackBerry PlayBook tablet security?
Read the BlackBerry PlayBook Security Technical Overview for more information on security features in the BlackBerry PlayBook tablet.
Where can I read more about the security of BlackBerry products and solutions?
Visit http://www.blackberry.com/security for more information on BlackBerry security.
Content update. New update directs customers to upgrade to version 184.108.40.2062.
By downloading, accessing or otherwise using the Knowledge Base documents you agree:
(b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.
Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.