RIM Warns About BlackBerry Browser Bug, Recommends Updating To Newer OS Versions Not Yet Released?
on 29 Sep 2009 08:54 pm
Al Sacco over at CIO was advised today from a Twitter friend that RIM had posted some information regarding a security concern within their BlackBerry browser. The issue at hand here is how the BlackBerry browser handles server certificates and it's method of reading null characters. To put it simply, hackers can make a site appear to be legit, in all reality it's leading you to somewhere else where you could possibly be inputting personal information. Think of Paypal being redirected to a site that looks like Paypal asking you to login, thus supplying your login and password to a unknown site.
The offical statement from the RIM knowledge base reads:
This advisory relates to a BlackBerry® Browser dialog box that provides information about web site domain names and their associated certificates. The BlackBerry Browser dialog box informs the BlackBerry device user when there is a mismatch between the site domain name and the domain name indicated in the associated certificate, but does not properly illustrate that the mismatch is due to the presence of some hidden characters (for example, null characters) in the site domain name.
Issue Severity: This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 6.8.
Issue Status: Vulnerability confirmed. Check for software containing the security update based on your wireless service provider. For more information, see the Resolution section.
Recommendation: Complete the resolution actions documented in this advisory.
Mitigation: RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages. If a user visits a site that causes a BlackBerry Browser dialog box to warn the user about continuing the connection, the user should select Close connection.
Now, while the security is a concern RIM's suggestions and path of action really is not the best. As pointed out by Al, some of the updates they are suggesting are not even available for users to download as of yet. This is due to the way RIM OS updates are released, having to pass carrier approval before release. Until the updates actually hit carriers and are released, it's just simply suggested that you close any website in which you see that looks similar to the screenshot provided but clearly RIM will need to address this further at the carrier level to ensure users are not left with this problem again.