1. lop01's Avatar
    SECURITY ALERT for Blackberry devices :

    A remote user can create specially crafted HTML that, when loaded by the target user, will cause the target user's browser to become unresponsive. The browser will restart and display an error message. (KB24841-Partial Denial of Service (DoS) in the BlackBerry browser application)

    There are fixes from RIM BUT BUT only for OS 5 and OS 6 !!

    the OS 4xxx is now UNSUPPORTED ! as explain by RIM :

    "RIM has issued a software update that resolves this issue in BlackBerry Device Software versions later than 5.0.0. BlackBerry Device Software version 4.7.0 and earlier is unsupported"

    Here are the affected versions :

    Vulnerable software and versions ( cf NVE CVE-2010-2599 )
    * rim:blackberry_software:5.0.0.593
    * rim:blackberry_software:5.0.0.983
    * rim:blackberry_software:5.0.0.973
    * rim:blackberry_software:5.0.0.1041
    * rim:blackberry_software:4.0
    * rim:blackberry_software:4.7
    * rim:blackberry_software:4.6.1
    * rim:blackberry_software:4.6
    * rim:blackberry_software:4.5.0
    * rim:blackberry_software:4.7.1
    * rim:blackberry_software:5.0.0.882
    * rim:blackberry_software:5.0.0.1036
    * rim:blackberry_software:5.0.0.1039 and previous versions

    I always had the feeling that RIM was very security conscious and was taking care of his users, that feeling is gone and for all.
    01-17-11 04:46 AM
  2. rrrebo's Avatar
    So the 2nd vulnerability EVER found in BBOS, and you have lost all faith? RIM released a fix. How are they not taking care of their users? Granted, there are still a lot of 83xx users out there on 4.5 still, but that's been a dead OS for awhile now, and this vulnerability only seems to affect the device browser. It doesn't spread, it doesn't corrupt or steal data, it just locks up the device. Hardly a major security threat. Calm down; have some dip.
    01-17-11 07:28 AM
  3. i7guy's Avatar
    That's kind of like saying you lost all faith in Microsoft because they won't patch the vulnerabilties in Windows 2000.
    rrrebo likes this.
    01-17-11 08:47 AM
  4. lop01's Avatar
    But windows 2000 was made available in 2000, eleven years ago. we bought the last batch of blackberries 81xx and 83xx in 2010.

    One year is a bit short for security updates from a company building on security solutions.

    If you look at XP which is unsupported by Microsoft, they still distribute security updates after 9 years ! ( and they are not supposed to be very security related company )
    01-17-11 11:07 AM
  5. i7guy's Avatar
    Rim has sunsetted some versions the same as Microsoft, why would time frame matter. Are you saying your device won't allow an update to a newer version?

    Even microsoft stops supporting older service packs like SP1 etc
    Posted from my CrackBerry at wapforums.crackberry.com
    01-17-11 10:01 PM
  6. lop01's Avatar
    Yes , our batch of 8310 and 8320 won't get OS5 ( memory constraints ) so we are trap in 4.5 release.

    Yes time frame matter in security, even microsoft keep the time frame around 10 years which is some sort of industry standard.

    Users don't mind if SP1 is not supported as long as XP is security supported, even if it is not supported anymore , because it is what run on their system. You can nearly always upgrade to SP2 and SP3 without changing hardware.

    So clearly what I was taking for granted from RIM is providing Security updates, even if the device is unsupported ( bug, evolution, amelioration, ...) as Microsoft is doing with XP.

    And BTW we love our little 83xx devices they are perfect devices for us, the keyboard is one of the best in the whole industry. ( much better than the keyboards of the new ones, 9700, 9300,..)
    01-18-11 04:03 AM
  7. Rootbrian's Avatar
    Well, my advice and precaution, don't install that suspicious app. That'll solve the issue entirely.

    Posted from my CrackBerry at wapforums.crackberry.com
    01-18-11 05:37 AM
  8. rrrebo's Avatar
    Rootbrian, did you RTFA? It's not a "suspicious app." It's an HTML vulnerability that can be exploited on any webpage. But it requires the user to actually go there, which can be accomplished by phishing e-mails or stupidity.

    Still, it doesn't seem to compromise user data in any way, so it's not much of a priority to patch on older OS versions. It just means if you hit the wrong website, you'll have to pull your battery.

    Posted from my CrackBerry at wapforums.crackberry.com
    01-18-11 05:55 AM
  9. MayorHaji's Avatar
    The only reason XP is still being patched is because it took Microsoft so long to get Vista out. How they typically work is a new Windows release every 3 years, and support the previous one with full patch support and 2 back with critical patches only. XP will receive no support after 2014. This was chosen due to the markets negative reaction to Vista and corporations sticking with XP during that time. So, no. 10 years is NOT an industry standard. It just happens to be what it is now due to slipped timelines.

    Posted from my CrackBerry at wapforums.crackberry.com
    01-18-11 08:08 AM
  10. i7guy's Avatar
    Yes , our batch of 8310 and 8320 won't get OS5 ( memory constraints ) so we are trap in 4.5 release.

    Yes time frame matter in security, even microsoft keep the time frame around 10 years which is some sort of industry standard.

    Users don't mind if SP1 is not supported as long as XP is security supported, even if it is not supported anymore , because it is what run on their system. You can nearly always upgrade to SP2 and SP3 without changing hardware.

    So clearly what I was taking for granted from RIM is providing Security updates, even if the device is unsupported ( bug, evolution, amelioration, ...) as Microsoft is doing with XP.

    And BTW we love our little 83xx devices they are perfect devices for us, the keyboard is one of the best in the whole industry. ( much better than the keyboards of the new ones, 9700, 9300,..)
    You can't go to 4.7.x which will receive the patch? This is such a low risk item, why would you even care? I honestly wish the worst vulnerability of Windows 7 was this.
    01-18-11 09:11 AM
  11. rrrebo's Avatar
    4.7 is for Tour and Storm devices only, I believe.
    01-18-11 10:57 AM
  12. lop01's Avatar
    @MayorHaji 10 years is an industry standard is has nothing to do with XP and Microsoft, only that Microsoft is quite following this standard with support of two OS on top of the current one with a three years schdule between them.

    @i7guy the 8310 and 8320 can't get the 4.7 they are blocked at 4.5
    AND the 4.7 will not get the security update, only 5.0 and 6.0 will get it.
    01-19-11 12:10 PM
LINK TO POST COPIED TO CLIPBOARD