This advisory addresses libexif library vulnerabilities that are not currently being exploited but affect BlackBerry® PlayBook™ tablet customers. BlackBerry® customer risk is limited by the BlackBerry tablet OS design, which restricts an application's access to system resources and the private data of other applications. Successful exploitation requires an attacker to craft a malicious image file and also requires that a user opens or saves this image file from an email or website. If the requirements are met for exploitation, an attacker could potentially gain access to, read or modify data on the device. After installing the recommended software update, affected BlackBerry PlayBook Tablet customers will be fully protected from this vulnerability.
Have any BlackBerry customers been subject to an attack that exploits these vulnerabilities?
BlackBerry is not aware of any attacks targeting BlackBerry tablet customers using these libexif vulnerabilities.
What factors affected the release of this security advisory?
This advisory addresses publicly known libexif vulnerabilities. BlackBerry publishes full details of a software update in a security advisory after the fix is available to the majority of our customers and wireless service provider partners. Publishing this advisory ensures that all of our customers can protect themselves by updating their software, or employing available workarounds if updating is not possible. Customers for whom the software update is not yet available should contact their wireless service provider to request BlackBerry Tablet OS version 220.127.116.113 or later.
Where can I read more about BlackBerry PlayBook tablet security?
Read the BlackBerry PlayBook Tablet Security Feature Overview and the BlackBerry Enterprise Service 10 Security Technical Overview for more information on security features in the BlackBerry PlayBook tablet. .
Where can I read more about the security of BlackBerry products and solutions?
Visit http://us.blackberry.com/business/topics/security.html for more information on BlackBerry security.
BlackBerry has issued a fix for these vulnerabilities, which is included in BlackBerry PlayBook tablet software version 18.104.22.1683. This software updates resolve these vulnerabilities on affected versions of the BlackBerry PlayBook tablet. Update BlackBerry PlayBook tablet software to version 22.214.171.1243 or later to be fully protected from these issues.
Note: If customers are running a BlackBerry Tablet OS version earlier than 126.96.36.1993 but do not see a software update notification and the device indicates that the software is up to date, customers should contact their wireless service provider to request BlackBerry Tablet OS version 188.8.131.523 or later.
See the Mitigations section of this advisory for information on how to manage potential risk until the software update is available for all customers.
Update by Accessing the Software Update Notification
BlackBerry PlayBook tablets use notifications to keep customers informed about software updates. When a new software update notification is available, it appears in the status ribbon at the top of the screen on the BlackBerry Playbook tablet.
Simply view the notifications and follow the steps to access the latest software update notification and complete the software update.
Manually Check for Software Updates on the BlackBerry PlayBook tablet
- From the home screen, swipe down from the top of the screen.
- Tap Software Updates.
- Tap Check for Updates.
Customers can also update the device software using BlackBerry® Desktop Software. For more information, see the Help documentation for BlackBerry Desktop Software.
After customers update their software, the screen will indicate that BlackBerry Tablet OS version 184.108.40.2063 or later is installed on the device.
How can I find out what version of BlackBerry Tablet OS I am running?
From the home screen, tap the Settings icon, tap About, and view the OS Version field in the General settings.
Are new (still in the box) BlackBerry PlayBook tablets exposed to these vulnerabilities?
As long as the user fully completes the device setup, including the device software update, the user's tablet will not be affected. During the initial setup process, the BlackBerry PlayBook tablet will download and install the latest version of the OS. The fix for these vulnerabilities is included in all versions of the BlackBerry PlayBook tablet software after version 220.127.116.113.
Note: If a customer is running a BlackBerry Tablet OS version earlier than 18.104.22.1683 but does not see a software update notification during the initial setup process and the device indicates that the software is up to date, customers should contact their wireless service provider to request BlackBerry Tablet OS version 22.214.171.1243 or later.
Are BlackBerry smartphones exposed to this vulnerability?
Does the BlackBerry PlayBook tablet force me to update my software?
No; customer action is required to update the software. BlackBerry PlayBook tablets use notifications to keep customers informed about software updates and provide instructions for customers to easily install a software update. Customers can also manually check for software updates. See the Resolution section of this advisory for steps to update customer software.
Can a BlackBerry PlayBook tablet user update the libexif library without performing a full BlackBerry Tablet OS update?
No. The libexif library is provided as an integral part of the BlackBerry Tablet OS installation, and they must be updated together.
Multiple vulnerabilities exist in the open source EXIF tag parsing library (libexif) supplied with affected versions of the BlackBerry PlayBook Tablet OS. The libexif library is an open source component used for processing EXIF metadata tags embedded in images. Successful exploitation of one or more of these vulnerabilities could result in an attacker executing code in the context of the application that opens the specially crafted image.
In order to exploit these vulnerabilities, an attacker must craft an image with malformed EXIF data. The attacker must then cause the user to take action to open or save the image, after the image has been displayed in an email message or on a webpage.
These issues are in the libexif library and affect systems that support the libexif library. Read the following libexif project security bulletin for further information on the issues: http://sourceforge.net/mailarchive/message.php?msg_id=29534027
This issue comprises multiple vulnerabilities, with a maximum Common Vulnerability Scoring System (CVSS) score of 7.5. View the linked CVE identifiers for descriptions of the libexif security issues that this security advisory addresses.CVE identifier — CVSS score
These issues are mitigated for all customers by the prerequisite that the attacker must persuade the customer to access the maliciously crafted image with malformed EXIF data by opening or saving the specially crafted image. The attacker cannot force the customer to open or save the image or bypass the requirement that the customer chooses to access the image. BlackBerry recommends that customers do not open or save images in emails received from untrusted sources or within webpages they are otherwise directed to by untrusted sources, on the BlackBerry tablet.
The capabilities and permissions of BlackBerry tablet applications are restricted by using a technique called sandboxing. Sandboxing limits the impact of vulnerabilities in applications to the confidentiality or integrity of other applications or the private data associated with them
There are no workarounds for these vulnerabilities. BlackBerry recommends that all users apply the available software update to fully protect their BlackBerry PlayBook tablets.
All workarounds should be considered temporary measures for customers to employ if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers without these requirements install the update to secure their systems.
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerabilities maintained by the MITRE Corporation.
CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerabilities that may impact them can benefit from using the same industry-recognized CVSS metrics.
Corrected to fix typo.
By downloading, accessing or otherwise using the Knowledge Base documents you agree:
(b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.
Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.