1. markdental's Avatar
    Looks like Verizon is going to have to update their OS sooner than they might have wanted to.

    Click here for the article

    Thanks to CX for the article.

    Basically the article says that if you are on: BlackBerry Device Software v4.7.0.x then you should upgrade to v4.7.0.179 or later

    Hmm, that doesn't exist right now.

    So what does Verizon do? Update to a fail 5.0, or go to a > v4.7.0.179????

    BTW, this is a pretty decent security flaw in the browser which makes it easier for malicious parties to execute "phishing" attacks on unsuspecting smartphone users.
    Last edited by markdental; 09-29-09 at 03:35 PM.
    09-29-09 10:34 AM
  2. drakison's Avatar
    *BUMP*

    this is a HUGE issue for Verizon. I have been trying to reach my business rep all day today regarding this. I am going to try to get a Verizon engineer on the phone today and will post what their response is.

    This applies to more than just the Storm OS too by the way. It affects all of the OS versions below.

    BlackBerry Device Software version 4.5.0.x:
    Update to version 4.5.0.173 or later.

    BlackBerry Device Software version 4.6.0.x:
    Update to version 4.6.0.303 or later.


    BlackBerry Device Software version 4.6.1.x:
    Update to version 4.6.1.309 or later.

    BlackBerry Device Software version 4.7.0.x:
    Update to version 4.7.0.179 or later.

    BlackBerry Device Software version 4.7.1.x:
    Update to version 4.7.1.57 or later.

    secunia.com/advisories/36875 <-- url missing the http -- cant post a link as I have less than 10 posts...*sigh*
    Last edited by drakison; 09-29-09 at 03:16 PM.
    09-29-09 03:09 PM
  3. johnc28's Avatar
    wow. thats absolutely insane.

    gg verizon
    09-29-09 03:13 PM
  4. Mapex's Avatar
    Realistically, one rare security flaw such as the one in the article cannot be a good enough reason to upgrade to software which may break popular features of the phone for users. It's easier if they just spread awareness of this certificate spoofing technique, for example by releasing this information in the first place, than to deal with the thousands of phone calls complaining that the new software that was forced onto their phone has made it unusable or worse than before.

    Crackberry fanatics are most likely going to use the best of the leaked versions over any official release anyway, so it doesn't affect us that much anyway. The "normal" user has the potential to get a horrible phone experience if a botched software is imposed onto their phone just to fix a single rare but somewhat dangerous flaw.

    Ideally, all of the files in the OS would be almost independent of each other so that something like being unable to display null characters, a core issue of the phone, could be patched without affecting the other core functionality or the other apps from the OS. I'm not sure what's with the emphasis on having a single radio file matter so much outside of determining how the device handles I/O.
    09-29-09 03:23 PM
  5. dylanmail's Avatar
    Does it just affect the BB browser or any other browsers like Opera Mini or Bolt?
    09-29-09 03:28 PM
  6. drakison's Avatar
    DESCRIPTION:
    A security issue has been reported in BlackBerry Device Software, which can be exploited by malicious people to potentially conduct spoofing attacks.

    The security issue is caused due to the dialog box displayed by the browser when a mismatched certificate is detected not showing e.g.
    NULL ('\0') characters. This can be exploited to potentially trick a user into ignoring the warning dialog box and accept a spoofed certificate containing special characters in the Common Name field.


    That's not exactly a "feature" issue. For people like me that manage a Business BES...we have to stay with supported versions or lose the potential for support.

    By allowing a spoofed cert, you could potentially allow the exploit to create an email hook, which could be detrimental to a company that has sensitive data.
    09-29-09 03:30 PM
  7. markdental's Avatar
    I was actually surprised that noone even commented on my thread before now.

    I thought this was huge news. Verizon HAS to address this and SOON!!!!

    But how will they do it?

    As for what to do. I would use the Opera browser or any other 3rd party browser only in the meantime. It seems that this only affects the BB Browser.
    09-29-09 03:34 PM
  8. Mapex's Avatar
    That's not exactly a "feature" issue. For people like me that manage a Business BES...we have to stay with supported versions or lose the potential for support.

    By allowing a spoofed cert, you could potentially allow the exploit to create an email hook, which could be detrimental to a company that has sensitive data.
    I don't disagree, however a rushed software release may add more security flaws on top of breaking certain features that you may need functioning on your phone. No IT department of any corporate environment just rushes a fix to a security flaw until they know the fix won't add any more glaring issues, so it would be the same for both business users and end users in terms of having the carrier push an upgrade.

    Spreading the awareness of an easily avoided problem as stated in the article is a decent way of delaying the need for a software upgrade. I bet your business has already sent a company-wide email regarding this issue, explaining to the workers to be careful when that certificate verification prompt pops up as they need to wait before a fix is pushed onto their phones.

    Actually, no - your company-wide email probably tells people to automatically hit "Deny" on those prompts for the safety of the company, regardless of how trustworthy the web site may be.
    09-29-09 04:07 PM
  9. chuckh0308's Avatar
    Hope there's something out there that fixes this AND doesn't have a broken media player...lol!

    Really though, wasn't RIM still aiming to have all devices on 5.0 by the end of the year? Maybe this will help assure that goal is met.
    09-29-09 04:14 PM
  10. drakison's Avatar
    I don't disagree, however a rushed software release may add more security flaws on top of breaking certain features that you may need functioning on your phone. No IT department of any corporate environment just rushes a fix to a security flaw until they know the fix won't add any more glaring issues, so it would be the same for both business users and end users in terms of having the carrier push an upgrade.

    Spreading the awareness of an easily avoided problem as stated in the article is a decent way of delaying the need for a software upgrade. I bet your business has already sent a company-wide email regarding this issue, explaining to the workers to be careful when that certificate verification prompt pops up as they need to wait before a fix is pushed onto their phones.

    Actually, no - your company-wide email probably tells people to automatically hit "Deny" on those prompts for the safety of the company, regardless of how trustworthy the web site may be.

    agreed totally...a rushed release will more than likely have flaws. Patching their current release to fix the issue would be the correct way of handling it in my opinion. Also, any good IT department will push a release quickly provided that they have tested it in their environment, and deemed it reliable and safe in their environment regardless of what Verizon says.

    As the IT support for Blackberry phones in our company, I would prefer to run a RIM version of the OS that has no security flaws, provided it tests fine for 48 hours within our environment, than run a flawed, yet supported, version from Verizon.

    Our BES does tell the device to say no, however, as most avid BB users know, there are ways to remove security profiles, which leave them vulnerable. Assuming your users won't exploit that is ignorant from an IT perspective. I can never assume security by obscurity.
    09-29-09 04:28 PM
  11. WJF84's Avatar
    I was actually surprised that noone even commented on my thread before now.

    I thought this was huge news. Verizon HAS to address this and SOON!!!!

    But how will they do it?

    As for what to do. I would use the Opera browser or any other 3rd party browser only in the meantime. It seems that this only affects the BB Browser.
    Are you not aware of the inherent security risks of using Opera Mini? All of your data passes through the servers in Sweden and is cached. This is a security risk in itself, but there have been additional examples of security risks inherent in this type of architecture, such as logging credentials/sessions being cached on opera and when another user browsed to the same site, they are auto-logged in as you.

    I use OM religiously but you suggesting to use it instead of the default browser because of this minor issue is ridiculous.

    Posted from my CrackBerry at wapforums.crackberry.com
    09-29-09 04:59 PM
  12. markdental's Avatar
    The security flaws you describe do not allow attacks on your phone. Different completely.

    Posted from my CrackBerry at wapforums.crackberry.com
    09-29-09 06:07 PM
  13. anon(34771)'s Avatar
    this is HUGE
    09-29-09 06:33 PM
  14. ObliteRon's Avatar
    This probably belongs in a different forum, since affects more than just the Storm.

    With that said, as a BES administrator (among other things) I am also wondering if devices running 4.2.x.x and 4.3.x.x are affected. The security advisory is unclear if they are, and we still have a number of 8703e devices out there running OS 4.2.
    09-29-09 08:45 PM
  15. JRSCCivic98's Avatar
    Huh...? What happened...? Is there all of a sudden a lot of tallent looking into vulnerabilities in the BB platform and finding it. lol

    BTW, this was posted in the main Blackberry News forum.... yep, the one none of us go to.


    BTW, good news (maybe)... it appears OS5 and other high version leaks of prior OSs might not be affected.... good news for leaks huh? Who said leaks were bad...
    Last edited by JRSCCivic98; 09-29-09 at 10:57 PM.
    09-29-09 10:55 PM
  16. Todd M's Avatar
    this is HUGE
    That's what she said...

    Sorry, had to do it. I know it wasn't anything substantive, only very-early-in-the-morning humor...

    I don't see Big Red rushing into anything, especially after the last time they rushed into something (S1 launch) without making sure it comes correct. My guess is that they will make everyone aware of the issue as much as possible and then will push out 5.0 as it's currenly slated. Just MHO...
    09-30-09 05:54 AM
  17. WJF84's Avatar
    The security flaws you describe do not allow attacks on your phone. Different completely.

    Posted from my CrackBerry at wapforums.crackberry.com
    I think you're missing the point. You are advising people to use OM because of the security flaw in the BB browser. This is a very dangerous comment and I would imagine most IT teams would be mortified if their users were using OM.

    The severity of the flaw is debatable and the risk is minimal. The risks of using OM are real and present every time you use it.

    Posted from my CrackBerry at wapforums.crackberry.com
    09-30-09 06:17 AM
  18. drakison's Avatar
    This probably belongs in a different forum, since affects more than just the Storm.

    With that said, as a BES administrator (among other things) I am also wondering if devices running 4.2.x.x and 4.3.x.x are affected. The security advisory is unclear if they are, and we still have a number of 8703e devices out there running OS 4.2.
    It does not appear that anything older than 4.5 is affected by this bug. That would make sense, as 4.5 included a newer (well not newer, but "improved") browser. At least they claim that it did anyways...LOL.
    09-30-09 08:16 AM
LINK TO POST COPIED TO CLIPBOARD