Date: 12 January 2011
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0027
Partial Denial of Service (DoS) in the BlackBerry browser application
12 January 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlackBerry Device Software
Publisher: RIM
Operating System: BlackBerry Device
Impact/Access: Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2010-2599
Original Bulletin:
http://blackberry.com/btsc/KB24841
- --------------------------BEGIN INCLUDED TEXT--------------------
Partial Denial of Service (DoS) in the BlackBerry browser application
Article ID: KB24841
Type: Security Advisory
First Published : 01-11-2011
Last Modified: 01-11-2011
Product(s) Affected:
The issue affects the BlackBerry browser application of the following
software versions:
* BlackBerry® Device Software versions earlier than 6.0.0
Non Affected Software
* BlackBerry® Desktop Software
* BlackBerry® Enterprise Server Software
Issue Severity
This vulnerability has a Common Vulnerability Scoring System (CVSS)
score of 5.0.
Overview
This advisory relates to a BlackBerry Device Software vulnerability
that could allow an attacker to maliciously craft a web page such
that, when the BlackBerry device user views the page on a device
running the affected BlackBerry Device Software, the browser
application becomes unresponsive. The BlackBerry device subsequently
terminates the browser, and the browser eventually restarts and
displays an error message. Successful exploitation of this issue
relies on the user viewing the maliciously crafted web page on a
device running the affected BlackBerry Device Software. The impact is
limited to a partial Denial of Service (DoS) in the browser
application in use on the BlackBerry device.
Issue Status: Vulnerability confirmed. Check for software containing
the security update based on your wireless service provider. For more
information, see the Resolution section.
Who should read this advisory
* BlackBerry Enterprise Server administrators
* BlackBerry device users
Who should apply the software fix(es)
* BlackBerry Enterprise Server administrators
* BlackBerry device users
Recommendation
Complete the resolution actions documented in this advisory.
References
CVE® Identifier: CVE-2010-2599
Problem
If the BlackBerry device user browses to a malformed web page, the
BlackBerry browser application consumes sufficient resources to make
the BlackBerry device appear unresponsive.
Impact
This issue results in a temporary, partial Denial of Service (DoS)
without risk of information disclosure or loss of integrity. This
issue does not have the potential to allow an attacker to access the
BlackBerry device or its stored user data.
Resolution
RIM has issued a software update that resolves this issue in
BlackBerry Device Software versions later than 5.0.0. BlackBerry
Device Software version 4.7.0 and earlier is unsupported, and versions
later than 6.0.0 are unaffected.
To check for available updates for your BlackBerry Device Software,
visit http://www.blackberry.com/updates/.
BlackBerry smartphone model (running a supported applications version)
Applications version to update to
BlackBerry® Curve(TM) 8520 smartphone
Version 5.0.0.1036 or later
BlackBerry® Curve(TM) 8900 smartphone
Version 5.0.0.1036 or later
BlackBerry® Bold(TM) 9000 smartphone
Version 5.0.0.1036 or later
BlackBerry® Curve(TM) 8530 smartphone
Version 5.0.0.882 or later
BlackBerry® Pearl(TM) 9100 smartphone
Version 5.0.0.882 or later
BlackBerry® Pearl(TM) 9105 smartphone
Version 5.0.0.882 or later
BlackBerry® Storm2(TM) 9520 smartphone
Version 5.0.0.882 or later
BlackBerry® Storm2(TM) 9550 smartphone
Version 5.0.0.882 or later
BlackBerry® Curve(TM) 9300
Version 5.0.0.1039 or later
BlackBerry® Curve(TM) 9330 smartphone
Version 6.0.0.280 or later
BlackBerry® Storm(TM) 9530 smartphone
Version 5.0.0.1041 or later
BlackBerry® Tour(TM) 9630 smartphone
Version 5.0.0.973 or later
BlackBerry® Bold(TM) 9650 smartphone
Version 5.0.0.983 or later or
Version 6.0.0.280 or later
BlackBerry® Bold(TM) 9700 smartphone
Version 6.0.0.380 or later
If you are using a software version that is not listed above, update
to one of the listed versions before applying the software update.
Workaround
If the browser application or the BlackBerry device stops responding,
the following options are available to the user:
* Wait for the BlackBerry device or the browser application to
respond. This occurs after a period of time relative to the
availability of the BlackBerry device resources.
* Switch to another application on the BlackBerry device.
Performance of that application may be degraded by the overall
impact on the BlackBerry device performance by the browser
application issue.
* Reset the BlackBerry device.
Acknowledgements
RIM would like to thank Laurent Oudot of TEHTRI Security for his
involvement in helping protect our customers.
Disclaimer
By downloading, accessing or otherwise using the Knowledge Base
documents you agree:
(a) that the terms of use for the documents found at
www.blackberry.com/legal/knowledgebase apply to your use or
reference to these documents; and
(b) not to copy, distribute, disclose or reproduce, in full or in
part any of the documents without the express written consent of RIM.
Visit the BlackBerry Technical Solution Center at
www.blackberry.com/btsc.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://www.auscert.org.au/1967
iD8DBQFNLP/3/iFOrG6YcBERAuxXAKCXbx/IJm0dqHsFRu9wB0HTftA2twCaAsxT
ryv8muJqFvqXo01qZFGi76o=
=jrkn
-----END PGP SIGNATURE-----
|