1. Accidental Post's Avatar
    New Security Flaws Found in BlackBerry 6 OS, IM Apps | PCWorld Business Center

    New Security Flaws Found in BlackBerry 6 OS, IM Apps

    By Al Sacco , CIO

    It's been more than two months since Research In Motion (RIM) reported a BlackBerry smartphone or BlackBerry Enterprise Server (BES) security flaw, but the Canadian company has announced a handful of recently discovered vulnerabilities in its BlackBerry 6 handheld OS and BES for IBM Lotus Notes and Microsoft Exchange. BlackBerry Torch 9800 with Padlock (Image Credit: Brian Sacco)

    First, RIM reports that three newly discovered vulnerabilities in the BlackBerry 6 Webkit browser could allow a hacker to access and/or modify data stored within a BlackBerry 6 smartphone's internal storage, as well as on its external media card.

    From RIM:

    "Successful exploitation of the vulnerabilities requires the BlackBerry smartphone user to browse to a website that the attacker has maliciously designed. A successful attack could result in remote code execution (RCE) on a smartphone running BlackBerry 6. An attacker exploiting these vulnerabilities could read or write to the built-in media storage section of a BlackBerry smartphone or to the media card but could not access user data that the email, calendar, and contact applications store in the application storage (the internal file system that stores application data and user data) of the BlackBerry smartphone."

    The flaws affect a number of BlackBerry smartphones running the BlackBerry 6 OS, including the Bold 9650, Bold 9700, Bold 9780, Curve 9300, Pearl 9100, Style 9670, and Torch 9800 handhelds.

    RIM recommends updating your BlackBerry 6 smartphone's OS to v6.0.0.522 for the Bold 9650, Curve 9330 smartphone, and Style 9670 smartphones; and to v6.0.0.566 for the remaining affected devices. However, some wireless carriers have not yet released these software builds, so RIM recommends contacting your carrier and requesting the appropriate software if it's not yet available to you. (Find more details on RIM's security advisory page.)

    Secondly, RIM reports a new BES flaw that could affect organizations that employ Microsoft's Office Communications Server (OCS) 2007 R2 and/or the Microsoft Lync Server 2010 BlackBerry IM Client with certain versions of RIM's BES for Lotus Notes and BES for Microsoft Exchange.

    From RIM:

    "A vulnerability exists in the BlackBerry Collaboration Service component of the affected versions of the BlackBerry Enterprise Server. Successful exploitation of this vulnerability would allow a potentially malicious BlackBerry device user within an organization to log into the BlackBerry Collaboration Service as another BlackBerry Collaboration Service user within the organization. This would allow the potentially malicious user to send messages as the legitimate user and receive messages sent to the legitimate user, as well as prevent the legitimate user from accessing the BlackBerry Collaboration Service. This would also allow the potentially malicious user to access the legitimate user's enterprise instant messaging contact list."

    To address the issue, RIM released new security updates for BES in the form of a BES 5.0.3 maintenance release 4 (MR4) software update. Both BES updates can be downloaded from RIM's server downloads page. (Find more specifics on this new BES flaw on RIM's security advisory page.)

    AS

    K Bear likes this.
    10-24-11 02:19 PM
  2. guerllamo7's Avatar
    Wow. This is actually kind of cool. RIM actually was the one to find a potential security vulnerability and tell people how to patch it before it was discovered. Thanks for staying on the job RIM.

    by the way, I'd rather have RIM continuously working on security for us than finding out we have been breached with an iphone.

    Exploiting the iPhone

    How To Hijack 'Every iPhone In The World' - Forbes.com

    iPhone Security Issues Reported: Germany's Security Experts Warn Of Apple iOS Malware Vulnerability

    http://www.huffingtonpost.com/2011/0..._n_892203.html

    You must have looked pretty hard since you are a troll that repeatedly tries to get BlackBerry users to switch to iPhone and even conduct clinics on how to pretend a virtual keyboard is as natural to real one so thanks for confirming the BlackBerry is the most secure phone out there. The vulnerability was discovered and patched by RIM.

    It took me two seconds to find 50 articles on iPhone vulnerability and not one they warned their users with but external groups exposing them. Like the antenna gate issue all over again.

    Thanks for confirming the BlackBerry is the most secure phone out there. I'm glad RIM is on the job.

    Go RIM!
    Last edited by guerllamo7; 10-24-11 at 02:38 PM.
    10-24-11 02:35 PM
  3. i7guy's Avatar
    Thread should be moved. Kind of cool rim disclosed the vulnerability and the patch.
    ridesno159 likes this.
    10-24-11 03:53 PM
  4. lax42's Avatar
    All rim has over the iPhone is the security and keyboard hahahaha I love how ppl still try to act like rim is in the same ball park as the iPhone
    10-24-11 06:52 PM
  5. Michelle Haag's Avatar
    While this was originally posted to incite a war, I have moved it to the correct forum and cleaned it of the arguing.
    Keep it on topic, or it gets deleted. Easy as that.

    Also, stop calling each other trolls. Engage in conversation, or don't say anything. No need to hide behind that word every other post. Ignore, move on, whatever.
    moiselles and Barljo like this.
    10-24-11 08:11 PM
  6. Blacklac's Avatar
    Those browser exploits are old and were patched. They also effect more than just RIM.
    hornlovah likes this.
    10-24-11 08:56 PM
  7. hornlovah's Avatar
    Sigh. I'm not sure why the article’s author categorized the WebKit browser exploits as "newly discovered," but it is clear he did not explore BlackBerry’s security advisory in depth (check the reference section). All three of the WebKit vulnerabilities he mentioned were exposed in March 2011. One of them was the exploit used during Pwn2Own. RIM did a good job at getting a fix out to the carriers for testing and approval within 2 weeks of their discovery however.
    10-24-11 09:08 PM
  8. i7guy's Avatar
    This was the pwn2own vulnerability? I must have been tired when I read the information 'cause you're right, old info.
    10-24-11 09:21 PM
  9. DannyAves's Avatar
    Flaw in the Webkit browser...wasn't the Webkit browser developed by Apple?
    10-24-11 09:24 PM
  10. SharpieFiend's Avatar
    Flaw in the Webkit browser...wasn't the Webkit browser developed by Apple?
    Apple would like you to think that, but most of the work on Webkit was done by Torch Mobile, who was acquired by RIM.
    10-24-11 09:30 PM
  11. ekafara's Avatar
    Good job RIM for finding it first.
    Last edited by Adam Zeis; 10-25-11 at 10:37 AM. Reason: content
    Dapper37 likes this.
    10-24-11 09:48 PM
  12. DannyAves's Avatar
    Apple would like you to think that, but most of the work on Webkit was done by Torch Mobile, who was acquired by RIM.
    Didn't know that. Perhaps you should get the entry at Wikipedia changed, it says:

    "WebKit was originally derived by Apple Inc. from the Konqueror browser's KHTML software library for use as the engine of Safari web browser..."
    10-24-11 09:56 PM
  13. anon(1603170)'s Avatar
    Apple would like you to think that, but most of the work on Webkit was done by Torch Mobile, who was acquired by RIM.
    The code that would become WebKit began in 1998 as the KDE project's HTML layout engine KHTML and KDE's JavaScript engine (KJS). The WebKit project was started within Apple by Don Melton on 25 June 2001[5] as a fork of KHTML and KJS. Melton explained in an e-mail to KDE developers[6] that KHTML and KJS allowed easier development than other available technologies by virtue of being small (fewer than 140,000 lines of code), cleanly designed and standards-compliant
    They got access to the microsd, they still have not touched the operating system itself... ba dum tsss
    10-24-11 11:40 PM
  14. qbnkelt's Avatar
    I love it when attempts to show off a RIM vulnerability crashes and burns. Particularly when in such a spectacular manner.
    And no....when it comes to security, BBerries are not on a par with any other platform. They're way ahead, at this time.
    Jake Storm likes this.
    10-25-11 02:00 AM
  15. Superfly_FR's Avatar
    New Security Flaws Found in BlackBerry 6 OS, IM Apps | PCWorld Business Center

    New Security Flaws Found in BlackBerry 6 OS, IM Apps

    By Al Sacco , CIO

    First, RIM reports that three newly discovered vulnerabilities in the BlackBerry 6 Webkit browser could allow a hacker to access and/or modify data stored within a BlackBerry 6 smartphone's internal storage, as well as on its external media card.

    From RIM:
    [...] An attacker exploiting these vulnerabilities could read or write to the built-in media storage section of a BlackBerry smartphone or to the media card but could not access user data that the email, calendar, and contact applications store in the application storage (the internal file system that stores application data and user data) of the BlackBerry smartphone."
    You're right (but by accident)

    1. Dammed Webkit based web browsers ... what would Safari/Chrome or any other webkit based browser do ?

    2. Contrarily to what is unfairly suggested, BES and Internal storage (i.e the secured storage) are not impacted. But yes, accidentalpost, the pictures of you using a BB device stored on a media card may be unveilled !

    3. It shows that RIM is attentive and responsive to threats (even low level ones) and reacts with appropriate methods, no more.
    Last edited by Superfly_FR; 10-25-11 at 02:21 AM.
    10-25-11 02:18 AM
  16. T�nis's Avatar
    The title of the referenced article mentions IM apps, but I can't find any mention of IM apps in the article.

    Posted from my CrackBerry at wapforums.crackberry.com
    10-25-11 05:39 AM
  17. knowledge_6's Avatar
    All rim has over the iPhone is the security and keyboard hahahaha I love how ppl still try to act like rim is in the same ball park as the iPhone
    not really ... for me it's the useage i get out of the BB.. apps like shortcut me and now with nfclauncher it's MUCH MORE useful then Siri!!

    to able to tap a sticker to make my phone READY for the car, for sleep, for office, for restaurant, for meetings, to launch any app i have on my device is pretty useful!

    you can't even tell Siri to turn on wifi, or bluetooth, or tell it to change settings...

    Even John at Technobuffalo said that he found Siri to be pretty much useless after a week of use.. now he forgets it's there!

    so don't generalize cause i'm sure that out of the 3 million members on CB a good hand full of them can tell you why they choose the BB over the iphone... (and i am sure it's not just Security and Keyboard)
    10-25-11 11:37 AM
  18. StaticFX's Avatar
    I was one of the many who jumped ship .. Storm2 to the iPhone 4s.. while i do love the new phone. There are plenty of things that the BB still does better. (and that i miss!!)

    Notifications (sounds - more choices and settings), status light.. apps that let you set volume and vib for each type of notification
    Status bar (why doesnt the iPhone show even stiff like missed call and email??? drives me nuts that i have to swipe down to check)
    Themes.... sigh.... no themes on the iphone
    email is better (always)
    I cant multi delete emails easily!!! i have to hit edit then tap each email to mark it... i cant just use 2 fingers. lame!
    I cant believe the apple still doesnt have a weather app that shows the weather on the icon??
    Cant set it to turn off/on automatically

    ...i miss the menu button! lol

    anyways.. plenty of stuff is better but i dont want this post to be "my iphone is better than your bb"

    but i will say, for siri - it was fun to try asking silly questions. now I just use it while driving. Easy to tell it to text the wife, and set a reminder, or play music. Otherwise, they need add much more functionality to make it "super awesome"
    knowledge_6 likes this.
    10-25-11 11:51 AM
  19. qbnkelt's Avatar

    but i will say, for siri - it was fun to try asking silly questions. now I just use it while driving. Easy to tell it to text the wife, and set a reminder, or play music. Otherwise, they need add much more functionality to make it "super awesome"
    Siri is soooo much fun!!! One member of my development team has a white iP4S, and I WANT that thing. Been playing with Siri. FUN! Just wish there were a male voice. With a perfect RP accent. *sigh*
    10-25-11 07:50 PM
LINK TO POST COPIED TO CLIPBOARD