Date: 03 August 2012
References: ESB-2012.0180 ESB-2012.0245 ESB-2012.0326.2 ESB-2012.0440
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0731
Vulnerabilities in Adobe Flash Player version included with
the BlackBerry PlayBook tablet software
3 August 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlackBerry PlayBook
Publisher: BlackBerry
Operating System: BlackBerry Device
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Denial of Service -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2012-0779 CVE-2012-0773 CVE-2012-0769
CVE-2012-0768 CVE-2012-0767 CVE-2012-0756
CVE-2012-0755 CVE-2012-0754 CVE-2012-0753
CVE-2012-0752
Reference: ESB-2012.0440
ESB-2012.0245
ESB-2012.0180
ESB-2012.0326.2
Original Bulletin:
http://blackberry.com/btsc/KB31675
- --------------------------BEGIN INCLUDED TEXT--------------------
BSRT-2012-003 Vulnerabilities in Adobe Flash Player version included with the
BlackBerry PlayBook tablet software
Products
Affected Software
Adobe Flash Player versions included with BlackBerry PlayBook tablet software
versions 2.0.1.358 and earlier.
Non Affected Software
BlackBerry PlayBook tablet software version 2.0.1.668 or later.
Are BlackBerry smartphones and the BlackBerry Device Software affected?
No.
Issue Severity
These issues are in the Adobe Flash Player and affect systems that support
Adobe Flash. Adobe recommends that affected users update their installations of
Adobe Flash Player. Read the following Adobe security bulletins for further
information on the issues:
* Adobe Security Bulletin APSB12-03, Security update available for Adobe Flash
Player
http://www.adobe.com/support/security/bulletins/apsb12-03.html
* Adobe Security Bulletin APSB12-05, Security update available for Adobe Flash
Player
https://www.adobe.com/support/security/bulletins/apsb12-05.html
* Adobe Security Bulletin APSB12-07, Security update available for Adobe Flash
Player
https://www.adobe.com/support/security/bulletins/apsb12-07.html
* Adobe Security Bulletin APSB12-09, Security update available for Adobe Flash
Player
http://www.adobe.com/support/security/bulletins/apsb12-09.html
These vulnerabilities have Common Vulnerability Scoring System (CVSS) scores
that range from 4.3-6.8. See the References section below for the CVSS scores
of each issue, listed by CVE issue identifier.
Overview
This advisory addresses several issues in Adobe Flash Player, the most severe
of which could result in remote code execution (RCE) within the context of an
application that uses Adobe Flash (such as the BlackBerry PlayBook browser).
On the BlackBerry PlayBook, the BlackBerry Tablet OS is designed to restrict an
application's access to system resources and the private data of other
applications, which limits the risk and exposure to customers. There are no
known attacks against BlackBerry PlayBook tablet users at this time. BlackBerry
PlayBook tablet users who have updated the BlackBerry Tablet OS to version
2.0.1.668 or later are protected from these vulnerabilities.
Adobe Flash Player is a cross-platform, browser-based application runtime.
Adobe Flash Player is created and supported by Adobe and included with the
BlackBerry PlayBook tablet software.
Who should read this advisory?
* BlackBerry PlayBook tablet users
* IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
Who should apply the software fix(es)?
* BlackBerry PlayBook tablet users
* IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
Recommendation
Complete the resolution actions documented in this advisory.
Best practices
RIM recommends that BlackBerry PlayBook tablet users do not click links in
emails received from untrusted sources or within webpages they are otherwise
directed to by untrusted sources.
References
View the linked CVE identifiers for descriptions of the Adobe Flash Player
security issues that this security advisory addresses.
CVE identifier CVSS score
CVE-2012-0752 6.8
CVE-2012-0753 6.8
CVE-2012-0754 6.8
CVE-2012-0755 6.8
CVE-2012-0756 6.8
CVE-2012-0767 4.3
CVE-2012-0768 6.8
CVE-2012-0769 4.3
CVE-2012-0773 6.8
CVE-2012-0779 6.8
Problem
BlackBerry PlayBook tablet software that uses a vulnerable version of the Adobe
Flash Player could potentially be susceptible to remote code execution (RCE).
Successful exploitation of these issues requires an attacker to craft Adobe
Flash content in a stand alone Adobe Flash (.swf) application or embed Adobe
Flash content in a website and then persuade the user to access the Adobe Flash
content by clicking a link to the content in an email message or on a webpage.
The email message could be received at a webmail account that the user accesses
in a browser on the BlackBerry PlayBook tablet.
Impact
Successful exploitation of any of these issues could potentially result in an
attacker being able to execute arbitrary code (that is, achieve RCE) in the
context of the application that opens the specially crafted Adobe Flash content
(typically the web browser). Failed exploitation of this issue might result in
abnormal or unexpected termination of the application.
While Adobe reports that the vulnerabilities described in bulletin APSB12-09
are being actively leveraged in attacks on users of Adobe Flash content, RIM is
not aware of any attacks against BlackBerry PlayBook tablet users at this time.
Mitigations
RIM recommends that all users apply the available software update (BlackBerry
PlayBook tablet software version 2.0.1.668) to fully protect their BlackBerry
PlayBook tablets. However, prior to the software update being applied,
awareness of the following mitigations may help limit the risk of exposure to
an attack.
These issues are mitigated for all users by the prerequisite that the attacker
must persuade the user to access the maliciously crafted Adobe Flash content by
opening the Adobe Flash application or clicking a maliciously crafted link in
an email message or on a webpage. The attacker cannot force the user to access
the content or bypass the requirement that the user chooses to access the
content.
These vulnerabilities are unlikely to lead to impacts beyond those listed
above. The capabilities and permissions of BlackBerry PlayBook tablet
applications are heavily restricted using a technique called sandboxing.
Sandboxing limits the likelihood of impact to the confidentiality or integrity
of other applications or the private data associated with them.
Resolution
RIM has issued BlackBerry PlayBook tablet software version 2.0.1.668 which
resolves these Adobe Flash Player vulnerabilities on affected versions of the
BlackBerry PlayBook tablet. Update your BlackBerry PlayBook tablet software to
version 2.0.1.668 or later to apply the update to Adobe Flash Player as
recommended by Adobe.
Note: This BlackBerry PlayBook tablet update includes all previously released
security updates for Adobe Flash Player on the BlackBerry Tablet OS.
Update by Accessing the Software Update Notification
Your BlackBerry PlayBook tablet uses notifications to keep you informed about
software updates. When a new software update notification comes in, it appears
in the BlackBerry PlayBook status ribbon at the top of the screen.
Simply view your notifications and follow the steps to access the latest
software update notification and complete the software update.
Manually Check for Software Updates
1. Open Options.
2. Tap Software Updates.
3. Tap Check for Updates.
After you update your software, the screen will indicate that you have
installed BlackBerry Tablet OS version 2.0.1.668 or later.
Workaround
RIM recommends that all users apply the available software update to fully
protect their BlackBerry PlayBook tablets.
All workarounds should be considered temporary measures for customers to employ
if they cannot install the update immediately or must perform standard testing
and risk analysis. RIM recommends that customers without these requirements
simply install the update to secure their systems.
For users that are unable to upgrade at this time, this risk can be mitigated
by temporarily disabling all Adobe Flash content in the browser on the
BlackBerry PlayBook tablet (in the browser, tap Options > Content, and set
Enable Flash to Off).
Important: Turning off Adobe Flash content in the browser will impact the
ability to view content on some web pages, and/or result in a diminished
browsing experience.
Once users have upgraded their BlackBerry PlayBook tablet software, they can
re-enable Adobe Flash content in the browser (in the browser, tap Options >
Content, and set Enable Flash to On).
Additional Information
Have any BlackBerry customers been subject to an attack that exploits these
vulnerabilities?
RIM is not aware of any attacks on or specifically targeting BlackBerry
PlayBook tablet users.
Are these vulnerabilities in RIMs BlackBerry PlayBook tablet source code?
No. These vulnerabilities are in Adobe Flash Player, a cross-platform,
browser-based application runtime. Adobe Flash Player is created and supported
by Adobe and included with the BlackBerry PlayBook tablet software.
Can a BlackBerry PlayBook tablet user update Adobe Flash Player without
performing a full BlackBerry Tablet OS update?
No. The Adobe Flash Player is provided as an integral part of the BlackBerry
Tablet OS installation, and they must be updated together.
Can an administrator use BlackBerry Enterprise Server IT policies to disable
Adobe Flash Player on BlackBerry PlayBook tablets in an enterprise?
There are no IT policies that an administrator can use to disable Adobe Flash
Player on the BlackBerry PlayBook tablet.
Does the BlackBerry PlayBook tablet force me to update my software?
No, your action is required to update the software. Your BlackBerry PlayBook
tablet uses notifications to keep you informed about software updates and
allows you to easily complete a software update. You can also manually check
for software updates. See the Resolution section of this advisory for steps to
update your software.
How can I find out what version of BlackBerry Tablet OS I am running?
- From the home screen, tap the Settings icon, tap About, and view the OS Version
field in the General settings.
Are new (still in the box) BlackBerry PlayBook tablets exposed to these
vulnerabilities?
No. During the initial setup process, the BlackBerry PlayBook tablet will
download and install the latest version of the BlackBerry Tablet OS, which will
be version 2.0.1.668 or later. The fix for these vulnerabilities is included in
all future versions of the BlackBerry PlayBook tablet software.
What is CVE?
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE
Identifiers) for publicly known information security vulnerabilities maintained
by the MITRE corporation.
What is CVSS?
CVSS is a vendor agnostic, industry open standard designed to convey the
severity of vulnerabilities. CVSS scores may be used to determine the urgency
for update deployment within an organization. CVSS scores can range from 0.0
(no vulnerability) to 10.0 (critical). RIM uses CVSS for vulnerability
assessments to present an immutable characterization of security issues. RIM
assigns all relevant security issues a non-zero score.
Where can I read more about BlackBerry PlayBook tablet security?
Read the BlackBerry PlayBook Security Technical Overview for more information
on security features in the BlackBerry PlayBook tablet.
Where can I read more about the security of BlackBerry products and solutions?
Visit http://www.blackberry.com/security for more information on BlackBerry
security.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUBsxuO4yVqjM2NGpAQKfwg//TEVNIjSHrJvfHVmwfHeU9gnp+7LjVxuX
20ZItUAOn4/0Wa/G8fqyObClgIud41CZlbWjWyowMyzvzbBY4rR96BuOfsTzPxzu
yk3EOuxnNSVbvHC+MO/WTJZU3Iv2jWxAZzUjCTN1AC7et9bBRyTEcoqwC5InUDXl
wnargOZF6oEhSumfBN6yXsg2guWAustShy/3sN/iXG6WKHFcm3JEZhdBF7tgRetL
RDtt8DPMioqJ4Jdiqq/2DdAQu8rGQfLQ66Au18BIbWHK+UjHoWqThhnZwXvmJlAR
JEgnKciN53PiRzYEI3sOeTuSWyo8hYxSCoW2X0zsbomTPRtxNAV08pOQCh11uAtT
KWUh7I3fKeWLMRX+G8E7V2MigOotCoGM0Frl6XToqQi/Tjv+a8LQf8vcMO6bnIUa
rWtvjiNBCXm5c7gpyX7OtjhAbPNYbBVIHqBYMnBm2G+InTXU++XKyu9kmJbRcvQT
PHnHCv0vjKFiRKLqSVN/kIocBCd6805NYgm4+rbsBkszg2ATzPzzXElEyeqBbkFC
hT3Uza5s/glQ/bQpIxfiwhiubcPBQLZmAUchupX4EmUuj56NgF3e+NURryFUuv5x
bIj+BcWEj91jG2ivIAa8xSi4GnEjSmsSeKAgZmlgNcIRyJvagb2V5YxsG/pESgn2
QLFYQgC9wJQ=
=RBFK
-----END PGP SIGNATURE-----
|