[gizmo21]

Update as of August 15th: With the hotfix AAG111 (PRIV) and AAG124 (DEK50) the quadrooter vulnerablity is fixed - at least for those that are getting those updates:
* http://blogs.blackberry.com/2016/08/...lnerabilities/

* http://support.blackberry.com/kb/art...mber=000038385


A third party application (reads https://play.google.com/store/apps/d...int.quadrooter ) reports a software version as vulnerable when the advisory document lists it as not affected. Why is this?

BlackBerry is not responsible for third party applications but is aware that some applications check component versions rather than attempting to reproduce a vulnerability. Since this approach does not account for differences in specific implementations, it is possible for these tests to give a false positive response. BlackBerry has extensively tested these patches and can confirm that the fix versions that are listed in this advisory are unaffected by the QuadRooter issues, including ASHmenian Devil.

---


Check Point just released an article to the media naming 4 Qualcomm vulnerabilities "quadrooter" where 900 million devices are affected also explicitly naming BlackBerry PRIV as first device.

�The four security flaws are CVE-2016-2503 ★ (found in Qualcomm's GPU driver, fixed in Google's Android Security Bulletin for July 2016), CVE-2016-2504 ★ (Qualcomm GPU driver, fixed in Google's Android Security Bulletin for August 2016), CVE-2016-2059 ★ (Qualcomm kernel module, fixed in April, patch status unknown), and CVE-2016-5340 ★ (Qualcomm GPU driver, fixed, patch status unknown).�

The upper two CVEs seems to be fixed by BlackBerry (if you already have August 5th update as some are still waiting) but the other two only one seem not fixed atm (as for the security bulletins of BlackBerry). But unclear if Priv is really affected by those two.

QuadRooter: New Android Vulnerabilities in Over 900 Million Devices | Check Point Blog

QuadRooter Android Security Bugs Affect over 900 Million Devices

Now BlackBerry could release some statement to use the media coverage and at least get those Aug patches out to all users:
http://forums.crackberry.com/blackbe...pdate-1081877/

[plutschnik]

So NOW is the chance to finally root my Priv?

[gizmo21]

Just check XDA, for news on that front

[paulwallace1234]

The integrity checks would probably stop it from booting ^

Posted via CB10

[kariekas]

does the wink imply there is such possibility? for I only find one thread about bypassing frp, yet it doesn't work anymore

[ChillieBrick]

Check Point just released an article to the media naming 4 Qualcomm vulnerabilities ...

The upper two CVEs seems to be fixed by BlackBerry (if you already have August 5th update as some are still waiting)

I found 2 on my Priv, just purchased mid July. Do I contact BlackBerry to get an update?

Thanks for posting.

[gizmo21]

does the wink imply there is such possibility? for I only find one thread about bypassing frp, yet it doesn't work anymore

No just wanted to channel "wanted rooting" discussions to XDA to where it belongs.

[Acchaladka]

The integrity checks would probably stop it from booting ^

Posted via CB10

Thanks for this - makes intuitive sense but a statement from BlackBerry will be appreciated.

I found one vulnerability using the 'Quadrooter Scanner' app in the Playstore, and my Priv has all updates installed including August 5th.

I assume the recommendation is to sit tight and wait a few hours or days for an update / security patch to come out?

[gizmo21]

I found 2 on my Priv, just purchased mid July. Do I contact BlackBerry to get an update?

Thanks for posting.

Did you check with https://play.google.com/store/apps/d...int.quadrooter ??


Beware, this testing app by the guys that discovered the vulnerabilities wishes permission e.g. for contacts.

[LyoobaBerry]

On my Priv it didn't ask for any permission, but did find two non addressed vulnerabilities. I see one has been fixed in August patch, but I'm still on July one

Posted via the CrackBerry App for Android

[AnimalPak200]

The integrity checks would probably stop it from booting ^

Posted via CB10

That would be interesting to see.

Posted via CB10

[ChrisAmbrose]

Issue remains in 5th August Patch https://www.codeaurora.org/invalid-p...-cve-2016-5340

Posted via the CrackBerry App for Android 6.0.1

[ToniCipriani]

'Quadrooter' flaws affect over 900 million Android phones | ZDNet

Nexus is affected, says should be part of Septemer. It's up to BlackBerry to decide if this is a critical vulnerability such that they need a push to update earlier, "Qualcomm provided the patch to partners" already.

At least we're only one out of the four not patched. Run it on a Verizon unit and I bet all 4 are a hit.

[gizmo21]

� The recently-announced BlackBerry DTEK50, which the company touts as the "most secure Android smartphone," is also vulnerable to one of the flaws.�

Ouch, this CVE 2016-5340 was committed on 2016-07-13 09:20:15 (GMT). Too late for initial DTEK50 launch but now we'll see if take out of band patching seriously or the whole "most secure android" will be a good PR for BB bashers.

[ToniCipriani]

� The recently-announced BlackBerry DTEK50, which the company touts as the "most secure Android smartphone," is also vulnerable to one of the flaws.�

Ouch, this CVE 2016-5340 was committed on 2016-07-13 09:20:15 (GMT). Too late for initial DTEK50 launch but now we'll see if take out of band patching seriously or the whole "most secure android" will be a good PR for BB bashers.

I'm pretty sure the firmware need to be sent to TCL well before that. Not like they just started production last week for a launch this week, so there's no way they could have included that patch. Best they can do is an August update the moment it's out of the box and connects to the Internet.

[anon(9607753)]

This is where the added value in purchasing a BlackBerry Android phone shines through. And guess what? BlackBerry can still sit back and say yeah we have done our best to secure Android. It is what it is. But we still have BB10. Buy a Passport. LOL.

Posted via BlackBerry Priv STV100-1

[Bla1ze]

QuadRooter: 5 things to know about the latest Android security scare | Android Central

[gizmo21]

Got that as PM:

� BlackBerry is aware of the issue described in CVE-2016-5340 known as �ASHmenian Devil�. A fix was integrated and tested in our labs shortly after the report was received and will be made available to customers as soon as possible.

While the vulnerability affects the majority of Android devices including BlackBerry Android Smartphones, we believe that BlackBerry�s secure boot chain design mitigates the issue since any elevation of privilege to root level will be temporary and any exploit for this issue would be unable to gain a persistent root. BlackBerry is not aware of any exploits for this vulnerability in the wild and does not believe that any customers are currently at risk from this issue �


At least you need a good name for vulnerabilities these days. Thanks BB Team for letting us know.

[Mecca EL]

What's funny to me is, after everyone reads these reported vulnerabilities that "could" - not HAVE - allow an attacker access, as long as the "attacker" has PHYSICAL access to the device in question, the Chicken Little's do thee EXACT thing that they are told NOT to do... they install a Quadrooter Vulnerability app from an unknown source

I swear.

The only hack people ever need to fear is the hack that has the ability to penetrate their fears.

[ToniCipriani]

Got that as PM:

� BlackBerry is aware of the issue described in CVE-2016-5340 known as ‘ASHmenian Devil’. A fix was integrated and tested in our labs shortly after the report was received and will be made available to customers as soon as possible.

While the vulnerability affects the majority of Android devices including BlackBerry Android Smartphones, we believe that BlackBerry’s secure boot chain design mitigates the issue since any elevation of privilege to root level will be temporary and any exploit for this issue would be unable to gain a persistent root. BlackBerry is not aware of any exploits for this vulnerability in the wild and does not believe that any customers are currently at risk from this issue �


At least you need a good name for vulnerabilities these days. Thanks BB Team for letting us know.

They actually should post this in like big letters on their blog and tell everyone about it, and pronounce to the world that they are the first to completely patch up the vulnerability, within the week it was announced. That should get some shock and awe.

[anon(9742832)]

Check Point just released an article to the media naming 4 Qualcomm vulnerabilities "quadrooter" where 900 million devices are affected also explicitly naming BlackBerry PRIV as first device.

�The four security flaws are CVE-2016-2503 ★ (found in Qualcomm's GPU driver, fixed in Google's Android Security Bulletin for July 2016), CVE-2016-2504 ★ (Qualcomm GPU driver, fixed in Google's Android Security Bulletin for August 2016), CVE-2016-2059 † (Qualcomm kernel module, fixed in April, patch status unknown), and CVE-2016-5340 † (Qualcomm GPU driver, fixed, patch status unknown).�

The upper two CVEs seems to be fixed by BlackBerry (if you already have August 5th update as some are still waiting) but the other two seem not fixed atm (as for the security bulletins of BlackBerry). But unclear if Priv is really affected by those two.

QuadRooter: New Android Vulnerabilities in Over 900 Million Devices | Check Point Blog

QuadRooter Android Security Bugs Affect over 900 Million Devices

Now BlackBerry could release some statement to use the media coverage and at least get those Aug patches out to all users:
http://forums.crackberry.com/blackbe...pdate-1081877/

No worries if you are careful with your phone than its a non starter for trouble. Just like with Windows, as long as you watch what you install or download than no issues occur. When the patch comes as it will, I would love to know what the actual patch rate is. I would bet its less than 50%. That's why Microsoft went to mandatory updates in Windows 10. People just don't update and install security patches. Same goes for APPS. People seldom update the APPS and only when they have too. So a secure phone as always defaults to the owner and in the end they are the weakest link.

[liridonw]

It's already here even after August update

Posted via the CrackBerry App for Android

[Ecm]

It's already here even after August update

Posted via the CrackBerry App for Android

Hmm... I wonder how many people have run the check, then tapped "Get ZoneAlarm Protection" conveniently placed at the bottom of the results screen?

[Mecca EL]

Hmm... I wonder how many people have run the check, then tapped "Get ZoneAlarm Protection" conveniently placed at the bottom of the results screen?

[FF22]

They actually should post this in like big letters on their blog and tell everyone about it, and pronounce to the world that they are the first to completely patch up the vulnerability, within the week it was announced. That should get some shock and awe.

Except if you have a Priv from Verizon. In which case no one gives a DAMN!