Al Sacco over at CIO was advised today from a Twitter friend that RIM had posted some information regarding a security concern within their BlackBerry browser. The issue at hand here is how the BlackBerry browser handles server certificates and it's method of reading null characters. To put it simply, hackers can make a site appear to be legit, in all reality it's leading you to somewhere else where you could possibly be inputting personal information. Think of Paypal being redirected to a site that looks like Paypal asking you to login, thus supplying your login and password to a unknown site.
The offical statement from the RIM knowledge base reads:
Overview
This advisory relates to a BlackBerry® Browser dialog box that provides information about web site domain names and their associated certificates. The BlackBerry Browser dialog box informs the BlackBerry device user when there is a mismatch between the site domain name and the domain name indicated in the associated certificate, but does not properly illustrate that the mismatch is due to the presence of some hidden characters (for example, null characters) in the site domain name.
Issue Severity: This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 6.8.
Issue Status: Vulnerability confirmed. Check for software containing the security update based on your wireless service provider. For more information, see the Resolution section.
Recommendation: Complete the resolution actions documented in this advisory.
Mitigation: RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages. If a user visits a site that causes a BlackBerry Browser dialog box to warn the user about continuing the connection, the user should select Close connection.
Now, while the security is a concern RIM's suggestions and path of action really is not the best. As pointed out by Al, some of the updates they are suggesting are not even available for users to download as of yet. This is due to the way RIM OS updates are released, having to pass carrier approval before release. Until the updates actually hit carriers and are released, it's just simply suggested that you close any website in which you see that looks similar to the screenshot provided but clearly RIM will need to address this further at the carrier level to ensure users are not left with this problem again.
16 comments
Digg
Facebook
Maybe they are just hinting at the imminent release to occur overnight????
Now that's wishful thinking.
When I updated to the "full" 230 this afternoon I was prompted to by DM to install a full update to BB Core 4.7 OS. I was previously on the "partial" .230 leak so I'm not sure why it thought a 4.7 update would be newer.
I didn't check to see what the actual os was though.
Let's hope so. I'm hoping 5.0 comes out this weekend.
I hope this release fixes the bugs in the .169 8830 release.
I think it's coming pretty soon
Perhaps another leak will be arriving.
There has been a leak for just about every phone this week hasn't there. ;)
Which leads me to think there will be an official soon from even slow verizon. And with this out and about, I think verizon will move a little faster. I will give verizon credit, they are concerned about their customers privacy, and this could move them to release and work on bugs later. besidse, most of the bugs on .230 is app related..
... if T-Mobile releases a 4.6 update for the 8900 that fixes this issue plus the UMA mess that is their current build .231.
Horrible grammar in that last paragraph.
Wow this is very shocking lol i downloaded .230 last night and downgraded it because i noticed alot of bugs with it
I upgraded my .230 and its been perfect for me better then all and even the .167 i love this version :) have not noticed any bugs exept pandora sometimes stops the song at the end and u have to skip it but who cares :)
RIM needs to take the Apple approach and release updates through Desktop Manager. I got a number of those warnings while I was running the 4.7 spins on my Storm but I haven't seen them while surfing to the same sites on 5.0.0.230. Thank goodness for leaks.
that wouldn't really help anything. It's the carrier that decides what updates to release, not RIM, reguardless of the method of delivery (OTA, DM, or download). In fact if they were to switch to that method it would just make it that much harder to install other carrer's official updates.
I misplaced my cable to connect my BB to my PC. I finally decided to update to 5.0 and now the update is just sitting there :(