Date: 14 June 2011
References: ESB-2011.0603
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0622
Vulnerability in Adobe Flash Player version included with
the BlackBerry PlayBook tablet software
14 June 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlackBerry PlayBook
Publisher: RIM
Operating System: BlackBerry Device
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2011-2107
Reference: ESB-2011.0603
Original Bulletin:
http://www.blackberry.com/btsc/KB27240
- --------------------------BEGIN INCLUDED TEXT--------------------
Vulnerability in Adobe Flash Player version included with the BlackBerry PlayBook tablet software
Article ID: KB27240
Type: Security Advisory
First Published:
11-06-2011
Last Modified: 06-11-2011
Product(s) Affected:
* BlackBerry PlayBook
Affected Software
* Adobe Flash Player versions included with the BlackBerry
PlayBook tablet software versions 1.0.5.2304 and earlier
Non Affected Software
* BlackBerry PlayBook tablet software version 1.0.5.2342 or later
Are BlackBerry smartphones and the BlackBerry Device Software affected?
No.
Issue Severity
The issue is in the Adobe Flash Player and affects systems that support
Adobe Flash. Adobe recommends that affected users update their
installations of Adobe Flash Player. Read Adobe Security Bulletin
APSB11-13, Security update available for Adobe Flash Player for full
details of the issues.
This vulnerability has a Common Vulnerability Scoring System (CVSS)
score of 4.3.
Overview
A vulnerability identified in Adobe Flash Player affects the BlackBerry
PlayBook tablet software.
Adobe Flash Player is a cross-platform, browser-based application
runtime. Adobe Flash Player is created and supported by Adobe and
included with the BlackBerry PlayBook tablet software.
Expand Who should read this advisory
* BlackBerry PlayBook tablet users
* IT administrators who deploy BlackBerry PlayBook tablets in an
enterprise
Who should apply the software fix(es)
* BlackBerry PlayBook tablet users
* IT administrators who deploy BlackBerry PlayBook tablets in an
enterprise
Recommendation
Complete the resolution action documented in this advisory.
Best practices
RIM recommends that BlackBerry PlayBook tablet users do not click links
in emails received from untrusted sources or within webpages they are
otherwise directed to by untrusted sources.
Expand References
CVE Identifier: CVE-2011-2107
Problem
This cross-site scripting vulnerability could be used to perform
actions on behalf of a BlackBerry PlayBook tablet user on any website
or webmail provider if the user visits a maliciously crafted website
that loads Adobe Flash content.
Successful exploitation of this vulnerability requires an attacker
to craft Adobe Flash content in a stand alone Adobe Flash (.swf)
application or embed Adobe Flash content in a website and then persuade
the user to access the Adobe Flash content by clicking a link to the
content in an email message or on a webpage. The email message could be
received at a webmail account that the user accesses in a browser on
the BlackBerry PlayBook tablet.
Impact
Successful exploitation of this vulnerability could result in the
attacker leveraging sensitive information from the browser session of
the compromised website without the knowledge of the BlackBerry
PlayBook tablet user. Adobe reports that this vulnerability is being
exploited in active targeted attacks on users of Adobe Flash content.
RIM is not aware of any attacks on or specifically targetting
BlackBerry PlayBook tablet users.
Mitigations
RIM recommends that all users apply the available software update to
fully protect their BlackBerry PlayBook tablet. However, prior to the
software update being applied, awareness of the following mitigations
may help limit the risk of exposure to an attack.
This issue is mitigated for all users by the prerequisite that the
attacker persuade the user to access the maliciously crafted Adobe
Flash content by opening the Adobe Flash application or clicking a
maliciously crafted link in an email message. The attacker cannot force
the user to access the content or bypass the requirement that the user
choose to access the content.
This vulnerability is unlikely to lead to impacts beyond cross-site
request forgery (a scenario where an attack uses a legitimate user's
credentials to perform unwanted actions on behalf of the user on a
website to which the user is authenticated). The capabilities and
permissions of the BlackBerry PlayBook tablet web browser are heavily
restricted using a technique called sandboxing. Sandboxing limits the
likelihood of impact to the confidentiality or integrity of enterprise
data stored on the BlackBerry PlayBook tablet or a
BlackBerry smartphone that is paired with the tablet using BlackBerry
Bridge. If the vulnerability is successfully exploited while the user
is using the BlackBerry Bridge application, there is a risk that an
attacker could use the legitimate user's credentials to perform
unwanted actions on websites within the enterprise network.
Resolution
RIM has issued BlackBerry PlayBook tablet software version 1.0.5.2342
which resolves this Adobe Flash Player vulnerability on affected
versions of the BlackBerry PlayBook tablet. Update your BlackBerry
PlayBook tablet software to version 1.0.5.2342 or later to apply the
update to Adobe Flash Player as recommended by Adobe.
Update By Accessing the Software Update Notification
Your BlackBerry PlayBook tablet uses notifications to keep you informed
about software updates. When a new software update notification comes
in, it appears in the top right hand corner of the BlackBerry PlayBook
status ribbon.
1. Simply view your notifications and follow the steps to access
the latest software update notification and complete the software
update.
Manually Check for Software Updates
1. From the home screen, tap the Settings icon to open Settings.
2. Tap Software Updates.
3. Tap Check for Updates.
After you update your software, the screen will indicate that you
have installed BlackBerry Tablet OS version 1.0.5.2342 or later.
Workaround
RIM recommends that all users apply the available software update to
fully protect their BlackBerry PlayBook tablet.
All workarounds should be considered temporary measures for customers
to employ if they cannot install the update immediately or must perform
standard testing and risk analysis. RIM recommends that customers
without these requirements simply install the update to secure their
systems.
For users that are unable to upgrade at this time, this risk can be
mitigated by temporarily disabling all Adobe Flash content in the
browser on the BlackBerry PlayBook tablet (in the browser, tap Options
> Content, and set Enable Flash to Off).
Important: Turning off Adobe Flash content in the browser will impact
the ability to view content on some web pages, and/or result in a
diminished browsing experience.
Once users have upgraded their BlackBerry Playbook tablet software,
they can re-enable Adobe Flash content in the browser (in the browser,
tap Options > Content, and set Enable Flash to On).
Additional Information
Have any BlackBerry customers been subject to an attack that exploits
this vulnerability?
RIM is not aware of any attacks on or specifically targeting BlackBerry
PlayBook tablet users.
Is this a vulnerability in RIMs BlackBerry PlayBook tablet source
code?
No. The vulnerability is in Adobe Flash Player, a cross-platform,
browser-based application runtime. Adobe Flash Player is created and
supported by Adobe and included with the BlackBerry PlayBook tablet
software.
Can a BlackBerry PlayBook tablet user update Flash Player without
performing a full BlackBerry Tablet OS update?
No. The Adobe Flash Player is provided as an integral part of the
BlackBerry Tablet OS installation, and they must be updated together.
Can an administrator use BlackBerry Enterprise Server IT policies to
disable Adobe Flash Player on BlackBerry PlayBook tablets in an
enterprise?
There are no IT policies that an administrator can use to disable Adobe
Flash Player on the BlackBerry PlayBook tablet.
Can an attacker access enterprise data if a successful attack is
performed by getting the user to click a link in the BlackBerry
PlayBook tablet web browser?
No.
Does the BlackBerry PlayBook tablet force me to update my software?
No, your action is required to update the software. Your BlackBerry
PlayBook tablet uses notifications to keep you informed about software
updates and allows you to easily complete a software update. You can
also manually check for software updates. See the Resolution section of
this advisory for steps to update your software.
How can I find out what version of BlackBerry Tablet OS I am running?
From the home screen, tap the Settings icon, tap About, and view the OS
Version field in the General settings.
I already have version 1.0.5 of the of BlackBerry Tablet OS. Do I need
to update my software?
Yes, you need to update to version 1.0.5.2342 or later to be protected
against the vulnerability.
Are new (still in the box) BlackBerry PlayBooks exposed to this
vulnerability?
No. During the initial setup process, the BlackBerry PlayBook tablet
will download and install the latest version of the BlackBerry PlayBook
Tablet OS, which will be version 1.0.5.2342 or later. The fix for the
vulnerability is included in all future versions of the BlackBerry
PlayBook tablet software.
What is CVE?
Common Vulnerabilities and Exposures (CVE) is a dictionary of common
names (CVE Identifiers) for publicly known information security
vulnerabilities maintained by the MITRE corporation.
CVSS
CVSS is a vendor agnostic, industry open standard designed to convey
the severity of vulnerabilities. CVSS scores may be used to determine
the urgency for update deployment within an organization. CVSS scores
range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS for
vulnerability assessments to present an immutable characterization of
security issues. RIM assigns all relevant security issues a non-zero
score.
Where can I read more about BlackBerry PlayBook security?
Read the BlackBerry PlayBook Security Technical Overview for more
information on security features in the BlackBerry PlayBook tablet.
Where can I read more about the security of BlackBerry products and
solutions?
Visit www.blackberry.com/security for more information on
BlackBerry security.
Disclaimer
By downloading, accessing or otherwise using the Knowledge Base
documents you agree:
(a) that the terms of use for the documents found at
www.blackberry.com/legal/knowledgebase apply to your use or
reference to these documents; and
(b) not to copy, distribute, disclose or reproduce, in full or in
part any of the documents without the express written consent of RIM.
Visit the BlackBerry Technical Solution Center at
www.blackberry.com/btsc.
Copyright 2011 Research In Motion Limited, unless otherwise noted.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://www.auscert.org.au/1967
iD8DBQFN9uYo/iFOrG6YcBERAs4YAKC4OXtf+tj3DpkBQvEvxqdAqxleBQCgyqAO
Lj0iNHDj1YA3M/nrIf3qAjg=
=CERw
-----END PGP SIGNATURE-----
|