Sophos Cloud Optix
Blackberry released two security bulletins yesterday, fixing flaws in its software for the Blackberry Playbook and Blackberry Z10 smartphone.
BSRT-2013-005 affects both the Z10 and the Playbook and fixes vulnerabilities in the bundled Adobe Flash Player.
This raises an important question in my mind, though. Why on earth has Blackberry launched a new mobile operating system with Flash support, knowing full well the number of vulnerabilities and in the wild attacks against it?
Apple was first to shun Flash while some Android handset makers bragged about Flash support. For about a month. Then Adobe pulled the plug on its own Android package.
This seemed to have resolved the issue and HTML5 was the winner for mobile interactive content. “Winner by default,” or so I thought.
Now you might think it is a “nice to have” so long as Blackberry keeps it up-to-date and makes it easy to apply to your device. Adobe released Flash fixes yesterday too, right?
While that is true, the Flash fixes released by Blackberry yesterday were from back in January. Yes, they fixed the vulnerabilities described in APSB13-01.
I took a look back at fixes for the Playbook and discovered that Blackberry appears to continuously lag about five months behind.
The company released patches for the November and December 2012 Flash updates in May 2013.
Blackberry also released BSRT-2013-006, fixing a vulnerability in its Blackberry Protect application for the Z10 smartphone.
The vulnerability itself seems extremely difficult for an attacker to exploit:
"Successful exploitation requires not only that a customer enable BlackBerry® Protect™, use the feature to reset the device password, and download a specifically crafted malicious app, but also that an attacker gain physical access to the smartphone."
Nevertheless, there are some very important lessons to be learned from this bulletin.
"Unlock the work perimeter... if the work perimeter password is the same as the device password"
"Access any other local and enterprise services for which the legitimate user has used the same password as the smartphone’s password."
Passwords. It always comes back to passwords. An even more difficult problem on smartphones than it is on dekstop and laptop computers.
While Blackberry’s latest OS lets users segregate their work and home lives using “perimeters”, those are only secure if you use different credentials to access each.
Even worse if you use the same password on your phone, your work perimeter, home perimeter and Active Directory credentials, one mistake brings down the whole house of cards.
It may be highly unlikely that you get compromised as a result of this vulnerability, but it is a good reminder on the importance of using unique passwords for each “role” in your life.
No flash image courtesy of Shutterstock.
On the Blackberry Z10 and Q10, flash is disabled by default in the browser. It must be enabled in the options before it can run. (As opposed to the Playbook, where it is on by default)
Customers using BlackBerry® Q10 smartphones, BlackBerry Z10 users running BlackBerry 10 OS version 10.0.10.648 or later and BlackBerry PlayBook tablet users running version 2.1.0.1526 or later are not affected.
Looks like the author has to do his homework first! I love my Z10, and i think, it's the most secure smartphone with BB OS 10 on the market! And flash is disabled, who needs such a cr*p!
"The vulnerability itself seems extremely difficult for an attacker to exploit"
BlackBerry is a partner to the worlds most powerful and secure minded companies, ignoring a threat no matter how big or small isnt an option. Good on ya BlackBerry.
so is the z10 secure? i mean what if say the police wanted to access the phones motherboard to view information sent and recieved by say via text messaging and/or bbm? are you guys telling me that its impossible? find that hard to belive!