Blackberry releases first security fixes for new Z10 smartphone

Filed Under: Adobe, Adobe Flash, BlackBerry, Featured, Vulnerability

BBZ10-170Blackberry released two security bulletins yesterday, fixing flaws in its software for the Blackberry Playbook and Blackberry Z10 smartphone.

BSRT-2013-005 affects both the Z10 and the Playbook and fixes vulnerabilities in the bundled Adobe Flash Player.

This raises an important question in my mind, though. Why on earth has Blackberry launched a new mobile operating system with Flash support, knowing full well the number of vulnerabilities and in the wild attacks against it?

shutterstock_NoFlash170Apple was first to shun Flash while some Android handset makers bragged about Flash support. For about a month. Then Adobe pulled the plug on its own Android package.

This seemed to have resolved the issue and HTML5 was the winner for mobile interactive content. "Winner by default," or so I thought.

Now you might think it is a "nice to have" so long as Blackberry keeps it up-to-date and makes it easy to apply to your device. Adobe released Flash fixes yesterday too, right?

While that is true, the Flash fixes released by Blackberry yesterday were from back in January. Yes, they fixed the vulnerabilities described in APSB13-01.

I took a look back at fixes for the Playbook and discovered that Blackberry appears to continuously lag about five months behind.

The company released patches for the November and December 2012 Flash updates in May 2013.

Blackberry also released BSRT-2013-006, fixing a vulnerability in its Blackberry Protect application for the Z10 smartphone.

The vulnerability itself seems extremely difficult for an attacker to exploit:

"Successful exploitation requires not only that a customer enable BlackBerry® Protect™, use the feature to reset the device password, and download a specifically crafted malicious app, but also that an attacker gain physical access to the smartphone."

Nevertheless, there are some very important lessons to be learned from this bulletin.

"Unlock the work perimeter... if the work perimeter password is the same as the device password"

"Access any other local and enterprise services for which the legitimate user has used the same password as the smartphone’s password."

BBZ10-Password170Passwords. It always comes back to passwords. An even more difficult problem on smartphones than it is on dekstop and laptop computers.

While Blackberry's latest OS lets users segregate their work and home lives using "perimeters", those are only secure if you use different credentials to access each.

Even worse if you use the same password on your phone, your work perimeter, home perimeter and Active Directory credentials, one mistake brings down the whole house of cards.

It may be highly unlikely that you get compromised as a result of this vulnerability, but it is a good reminder on the importance of using unique passwords for each "role" in your life.

No flash image courtesy of Shutterstock.

, , , , ,

You might like

5 Responses to Blackberry releases first security fixes for new Z10 smartphone

  1. James Magnan · 496 days ago

    On the Blackberry Z10 and Q10, flash is disabled by default in the browser. It must be enabled in the options before it can run. (As opposed to the Playbook, where it is on by default)

  2. phsjr · 496 days ago

    Customers using BlackBerry® Q10 smartphones, BlackBerry Z10 users running BlackBerry 10 OS version 10.0.10.648 or later and BlackBerry PlayBook tablet users running version 2.1.0.1526 or later are not affected.

    • FMS · 495 days ago

      Looks like the author has to do his homework first! I love my Z10, and i think, it's the most secure smartphone with BB OS 10 on the market! And flash is disabled, who needs such a cr*p!

  3. "The vulnerability itself seems extremely difficult for an attacker to exploit"

    BlackBerry is a partner to the worlds most powerful and secure minded companies, ignoring a threat no matter how big or small isnt an option. Good on ya BlackBerry.

  4. shaun · 444 days ago

    so is the z10 secure? i mean what if say the police wanted to access the phones motherboard to view information sent and recieved by say via text messaging and/or bbm? are you guys telling me that its impossible? find that hard to belive!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Chester Wisniewski is a Senior Security Advisor at Sophos Canada. He provides advice and insight into the latest threats for security and IT professionals with the goal of providing clear guidance on complex topics. You can follow Chester on Twitter as @chetwisniewski, on App.net as Chester, Chester Wisniewski on Google Plus or send him an email at chesterw@sophos.com.