[trsbbs]

National Cyber Awareness System:

BlackBerry Releases Security Advisory
11/14/2013 02:36 PM EST


Original release date: November 14, 2013

BlackBerry has released a security advisory to address potential vulnerabilities that affect a remote file access feature within BlackBerry Link for Blackberry 10 Operating Systems. These vulnerabilities could allow an attacker to obtain elevation of privilege or execute arbitrary code remotely.

US-CERT recommends users and administrators to review the BlackBerry Security Advisory BSRT 2013-012 and follow best practice security policies to determine which updates should be applied.

[Bold_until_Hybrid_Comes]

Yikes this is horrible

[trsbbs]

In short, turn Link off at both ends.


Posted via CB10 on a Verizon Z10 running 10.2.0.1791

[Poirots Progeny]

That's not good!

Posted via CB10

[cjcampbell]

Not great news, but to credit BlackBerry, they found the issue and told people about it. As far as we know, it hasn't been exploited, and they have also found holes in the past only to patch them without known incident.

[Shanerredflag]

Its just the NSA...carry on.

[anon(3732391)]

We all know that mobile devices are much more sophisticated computers than your desktop or laptop. And, so much more vulnerable because of it's Wi-Fi capabilities.
You wouldn't think of operating your PC without some kind of security software.So, why act so surprised?
Last year alone 10's of thousands of virus's were reported on Android devices.
And the majority of virus's on those devices came from Social Networks!

It's so easy for cyber-criminals to compromise mobile devices. Think about it.

You share your music, photo's and video's with the world. You let everyone know WHERE you're going, WHAT you're listening to on the way there. HOW you're getting there WHEN you get there and WHY you went there in the first place.
And all the while you're being tracked by your GPS!

Blackberry has good security but in a world where our government is already prepared to hack into another countries mainframe how hard do you think it would be to compromise a mobile device.?

The most important app you should already have installed on your device is anti-virus/ security.
And if you balk over $10.00 then you deserve to get hacked!

There's just so many "found holes" and "patches" before you get hacked of your Contacts, Credit Card information and other things that you thought were secure!

... end of rant!

[BCITMike]

Links?

Posted via CB10

[00stryder]

How on Earth has this not been reported on yet? How am I just reading this?!

Posted via CB10

[PorcinusMaximus]

Good heads-up, but it doesn't sound like a huge deal. Here's the link to it:

BSRT 2013-012 Vulnerability in remote file access feature impacts BlackBerry Link

There's lots there, but a few highlights, first the Overview --

"This advisory addresses an elevation of privilege or remote code execution vulnerability that is not currently being exploited but affects BlackBerry Link. BlackBerry customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without customer interaction. Successful exploitation can require that an attacker must persuade a user on a system with BlackBerry Link installed to click on a specifically crafted link or access a webpage containing maliciously crafted code. In the alternative scenario, successful exploitation requires that a local attacker must be able to log in to the affected system while the BlackBerry Link remote file access feature is running under a different user account. If the requirements are met for exploitation, an attacker could potentially gain access to, read, or modify data from the BlackBerry Link remote file access folder of the user account under which the BlackBerry Link�s remote file access feature is running. After installing the recommended software update, affected BlackBerry Link customers will be fully protected from this vulnerability." [emphasis mine]

-- and from Mitigations:

"Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations and general best practices.

The elevation of privilege attack scenario for this issue is mitigated in systems that do not support multiple users, and it is further mitigated by the requirement that the attacker must have valid local login credentials.

Remote code execution attack scenarios for this issue are mitigated for all customers by the prerequisite that the attacker must persuade the customer to access the maliciously crafted link or visit a webpage containing maliciously crafted code." [emphasis mine]

[LazyEvul]

Did anyone bother to check whether or not they have fixed it? From the security advisory page:

Affected Software
BlackBerry Link for Windows version 1.0.1.12 to 1.2.0.28
BlackBerry Link for Mac OS version 1.0.1 (build 6) to 1.1.1 (build 35)

Non-Affected Software
BlackBerry Link for Windows prior to version 1.0.1.12
BlackBerry Link for Mac OS prior to version 1.0.1 (build 6)
BlackBerry Link for Windows version 1.2.1.31
BlackBerry Link for Mac OS version 1.1.1 (build 39)

As usual, it's a matter of security being up to the user - keep your software up-to-date and you'll be fine.

[00stryder]

I'm glad they're being pro-active with this, but still surprised that I haven't seen this being reported at all. Other sites I get because they probably don't even know what RFA is, but CB? N4BB?

Posted via CB10

[Brutal Efficiency]

Horrible? They fixed a potential problem...

BlackBerry Bold 9900; Q10; Z10 [BBM#6]

[Gerii]

That's why they should give normal users the ability to access Samba shares directly from our device instead of that Link app.

Posted via CB10

[glamrlama]

That's why they should give normal users the ability to access Samba shares directly from our device instead of that Link app.

Posted via CB10

Use ES file explorer of ghost commander if you need simple access to local smb: shares