15 January 2014
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0006 A number of vulnerabilities have been addressed in BlackBerry Z10, Q10 and PlayBook devices 15 January 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: BlackBerry Z10 smartphones BlackBerry Q10 smartphones BlackBerry PlayBook tablets Operating System: BlackBerry Device Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction Denial of Service -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2013-2555 CVE-2013-1380 CVE-2013-1379 CVE-2013-1378 Member content until: Friday, February 14 2014 Reference: ESB-2013.0517 ESB-2013.0508 OVERVIEW A number of vulnerabilities have been addressed in BlackBerry Z10 smartphones, BlackBerry Q10 smartphones, and BlackBerry PlayBook tablets.  IMPACT The vendor has provided the following details regarding these issues: CVE-2013-1378, CVE-2013-1379, CVE-2013-1380, CVE-2013-2555: "Vulnerabilities exist in the Flash Player version supplied with affected versions of the BlackBerry 10 OS and PlayBook OS. The Flash Player is a cross-platform, browser-based application runtime. Successful exploitation of these vulnerabilities could potentially result in an attacker executing code in the context of the application that opens the specially crafted Flash content (typically the web browser). Failed exploitation of this issue might result in abnormal or unexpected termination of the application. In order to exploit these vulnerabilities, an attacker must craft Flash content in a stand-alone Flash (.swf) application or embed Flash content in a website. The attacker must then persuade the user to access the Flash content by clicking a link to the content in an email message or on a webpage, or loading it as part of an AIR application. The email message could be received at a webmail account that the user accesses in a browser on BlackBerry Z10 and BlackBerry Q10 smartphones and BlackBerry tablets. These vulnerabilities have a Common Vulnerability Scoring System (CVSS) score of 6.8."  MITIGATION BlackBerry has released a fix to correct these issues.  REFERENCES  BSRT-2014-001 Vulnerabilites in Adobe Flash impact BlackBerry Z10 and BlackBerry Q10 smartphone and BlackBerry PlayBook tablet software http://blackberry.com/btsc/KB35565 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUtYcIRLndAQH1ShLAQKUIxAAnDMI3LTf3RC16HtNYH35inaGh2J4ax9/ AU5LAIlWIc9n2A51dosssAmCh5HmGv+Rb8KahbGrxT8mjXGglDPI5PIKFt8pCVP0 v79NIy5MRsWYg8Zkh2e0m11GbQ1+Waf/nOqYy2UmjPykWE+ZVessIuoGTt0/FPV7 FM+hVvmfn4zYfuZAVaBOhrltam+Qe6CdmUbXMRgPzQICqHPVymc1RjR6yCo9GMZK bBAF0CNyBSEqkVokn9sz48UzSvN9f3UlE7Lv/f1ycnLO8EOcCeTa5H3Rldn+SOFa elwIixYnZqMmZU8E1eydnQXR2I46NLsaM1OxEq+bpWnPUsUpLU5mEkLyxwu/uphC Oyo6lM5e0ZlC84fl2RWnTmzEq2kZU+1ReBXr6m7YjOl2UhxeHA6PX2aE07Aymhap 2GqUfYv35ApgnYB4eBvv3OXqYfarmmJ4LId3mrq+y7XhWs/FQDyog95wWrLMFSOK U7O+N5GCzWFt1KPUD/sGiqUcUSxKNVwOG/CymhkWflSiW4ZSSbEjTEaS2+SbwCUf PfGM13o6qGqa40qzPS37bV589d0bb5Y8oXhTQ6WHKmwOGiDekYV3SX2BkfUx14Bc eKND7cHWpJSIipx8FpjhK9PLr1mKJl1JVeki9OKnoqrD21YKZLEhp12Q4NsNraD4 fg3dCax6bpg= =cjbg -----END PGP SIGNATURE-----