Anyone with a BlackBerry Q10, Z10 or PlayBook should probably apply security updates, released this week, which fix dozens of publicly known flaws affecting Flash that Adobe released patches for on other platforms back in February.
BlackBerry opted to support Flash on its mobile devices even as others like Apple turned their back on the media player, but the company seems to be taking a long time to fix serious remote execution flaws in the software.
According to a BlackBerry security advisory, an update for BB 10 OS smartphones and PlayBook devices was published on Tuesday to address 24 flaws affecting Flash — vulnerabilities that Adobe dealt with on other platforms with four bulletins released in February and March this year.
Attacks exploiting the flaws can be launched via maliciously crafted Flash applications or embedded Flash content on a website. However, the risk is lower on Q10 and Z10 devices since, as BlackBerry notes, Flash is disabled by default, though that's not the case for PlayBook devices.
The software update targets Z10 and Q10 smartphones up to version 10.1.0.1720 or later, while for PlayBooks it's those running software versions before 188.8.131.523.
BlackBerry has also released fixes under two separate advisories for flaws affecting the Webkit browser engine on BlackBerry Z10 smartphones, one of which also impacts the PlayBook.
Z10 devices running a version of BB 10 OS earlier than 10.0.10.261 except versions 10.0.9.2709 and 10.0.9.2743 are affected. PlayBook devices running versions earlier than 184.108.40.2063 are also affected. BlackBerry said it was not aware of any attacks that use the flaw in either advisory.
Finally, BlackBerry has a fix for eight vulnerabilities in the libex library, a component used in PlayBook devices to process metadata tags embedded in images.
Hackers can exploit anyone of the flaws to execute code in an application that opens an attack image file, though BlackBerry was not aware of any attacks in the wild.
The attacker would need to convince the victim to open or save a booby-trapped image after it has been displayed in an email or a webpage. Customers running OS version 220.127.116.116 and earlier should apply the update that carries them forward to version 18.104.22.1683, which is not affected.