The company said that it was so far unaware of any actual exploits targeting its wares on either count.
BlackBerry devices themselves are unaffected by Heartbleed, but BlackBerry patched Adobe Flash remote code execution vulnerabilities in the BlackBerry Z10, Q10 and Q5 smartphones, which bundles Flash into the OS.
BlackBerry said the risks are limited because of the design of the BlackBerry 10 OS, which restricts application access to system resources and data of other applications.
“Successful exploitation requires an attacker to craft malicious Adobe Flash content and requires that a user access the malicious content on a webpage or as a downloaded Adobe AIR application,” BlackBerry said in the advisory. “If the requirements are met for exploitation, an attacker could potentially execute code with the rights of the application that opens the specially crafted malicious Flash content.”
Heartbleed, meanwhile, affects the BBM messaging service for Android and iPhone users, Secure Work Space for iOS and Android, BlackBerry Enterprise Service 10 and BlackBerry Link customers.
Heartbleed, a.k.a., an OpenSSL heartbeat extension read overflow, is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows an attacker to steal the information protected, under normal conditions, by the SSL/TLS encryption used to secure the internet.
In BlackBerrry’s case, successful exploitation requires an attacker to send a malformed request for a heartbeat reply to an SSL endpoint that is running a vulnerable version of OpenSSL. If the requirements are met for exploitation, an attacker could potentially gain access to limited but arbitrary data that is in memory.
BlackBerry downplayed the issue in its security advisory, noting that “customer risk is limited in all cases by the requirement that an attacker first gain access to an affected product in order to then mount a successful attack.” That includes the need for an attacker to successfully complete a man-in-the-middle attack that is capable of spoofing IP addresses.
Even so, BlackBerry aficionados should apply the patches and then change passwords for all of their user accounts.
Heartbleed continues to be a malevolent force: a scan by Errata security last week, one month after it was discovered, found there to still be 318,239 systems on port 443 still vulnerable – down from 600,000 vulnerable systems when it was first discovered. Overall, Heartbleed is estimated to affect as many as two-thirds of internet-connected systems.