The BSRT-2013-005 patch addresses a flaw in both the Z10 and the Playbook, which has to do with a remote code execution vulnerability in Adobe Flash Player. The BSRT-2013-006 update meanwhile fixes a vulnerability in the Blackberry Protect application for the Z10 smartphone.
The latter is a difficult-to-exploit flaw: "Successful exploitation requires not only that a customer enable BlackBerry Protect, use the feature to reset the device password and download a specifically crafted malicious app, but also that an attacker gain physical access to the smartphone."
Nonetheless, the bulletin offers food for thought regarding passwords. The Protect flaw essentially allows a hacker with physical access to the device to wreak havoc with the bring-your-own device (BYOD) safeguards in the Z10. Users can set up different perimeters around apps, photos, content and so on, to segregate work from personal data. The flaw lets a hacker unlock the work perimeter if the work perimeter password is the same as the device password, and access any other local and enterprise services for which the legitimate user has used the same password as the smartphone’s password.
“While Blackberry's latest OS lets users segregate their work and home lives using perimeters, those are only secure if you use different credentials to access each,” said Sophos researcher Chester Wisniewski, in a blog. “Even worse, if you use the same password on your phone, your work perimeter, home perimeter and Active Directory credentials, one mistake brings down the whole house of cards.”
He added, “It may be highly unlikely that you get compromised as a result of this vulnerability, but it is a good reminder on the importance of using unique passwords for each role in your life.”
The Flash flaw is a whole different kettle of fish. BlackBerry said that the issue has not been actively exploited, and noted that “BlackBerry customer risk is limited by the BlackBerry 10 OS and the BlackBerry PlayBook Tablet OS design, which restrict an application's access to system resources and the private data of other applications.”
However, successful exploitation only requires a customer to fall for a phishing campaign, accessing maliciously created Adobe Flash content in an email or on a webpage. The mail message could be received at a webmail account that the user accesses in a browser on a BlackBerry Z10 smartphone and/or the BlackBerry PlayBook tablet.
“If all of the specific requirements are met for exploitation, an attacker could potentially execute arbitrary code in the context of the application that opens the specially crafted Adobe Flash content,” BlackBerry said.
BlackBerry admins may feel a bit better post-update, but Wisniewski said that he sees a warning flag in the patch.
“This raises an important question in my mind, though,” he said in a blog. “Why on Earth has Blackberry launched a new mobile operating system with Flash support, knowing full well the number of vulnerabilities and in-the-wild attacks against it?”
That’s particularly piquant considering that the latest patch actually incorporates Flash fixes from January – as described in APSB13-01.
“I took a look back at fixes for the Playbook and discovered that Blackberry appears to continuously lag about five months behind,” he said. “The company released patches for the November and December 2012 Flash updates in May 2013.”