BlackBerry releases BB10 fixes for old Flash flaws

BlackBerry releases BB10 fixes for old Flash flaws

Summary: BlackBerry is rolling out fixes for dozens of flaws affecting software and components in Q10, Z10 smartphones and its PlayBook tablet.

SHARE:

Anyone with a BlackBerry Q10, Z10 or PlayBook should probably apply security updates, released this week, which fix dozens of publicly known flaws affecting Flash that Adobe released patches for on other platforms back in February.

BlackBerry opted to support Flash on its mobile devices even as others like Apple turned their back on the media player, but the company seems to be taking a long time to fix serious remote execution flaws in the software.

According to a BlackBerry security advisory, an update for BB 10 OS smartphones and PlayBook devices was published on Tuesday to address 24 flaws affecting Flash — vulnerabilities that Adobe dealt with on other platforms with four bulletins released in February and March this year. 

Attacks exploiting the flaws can be launched via maliciously crafted Flash applications or embedded Flash content on a website. However, the risk is lower on Q10 and Z10 devices since, as BlackBerry notes, Flash is disabled by default, though that's not the case for PlayBook devices.

The software update targets Z10 and Q10 smartphones up to version 10.1.0.1720 or later, while for PlayBooks it's those running software versions before 2.1.0.1753.

BlackBerry has also released fixes under two separate advisories for flaws affecting the Webkit browser engine on BlackBerry Z10 smartphones, one of which also impacts the PlayBook.

Z10 owners running a version of BB 10 OS earlier than 10.1.0.1392 are exposed to a publicly known flaw in the JavaScriptCore component of the WebKit browser engine, which can be exploited in a drive by attack to execute code in the web browser, according to the advisory

In other words, to be exposed to the threat, a hacker would need to plant a maliciously crafted JavaScript on a compromised website and trick the Z10 owner into visiting the site.

A second advisory details a similar WebKit flaw that affects both the Z10 and PlayBook, which can similarly be exploited through a malicious JavaScript hosted on a website to execute code in the browser.

Z10 devices running a version of BB 10 OS earlier than 10.0.10.261 except versions 10.0.9.2709 and 10.0.9.2743 are affected. PlayBook devices running versions earlier than 2.1.0.1753 are also affected. BlackBerry said it was not aware of any attacks that use the flaw in either advisory.

Finally, BlackBerry has a fix for eight vulnerabilities in the libex library, a component used in PlayBook devices to process metadata tags embedded in images.

Hackers can exploit anyone of the flaws to execute code in an application that opens an attack image file, though BlackBerry was not aware of any attacks in the wild.

The attacker would need to convince the victim to open or save a booby-trapped image after it has been displayed in an email or a webpage. Customers running OS version 2.1.0.1526 and earlier should apply the update that carries them forward to version 2.1.0.1753, which is not affected. 

Further reading

Topics: Security, Mobility, BlackBerry

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

3 comments
Log in or register to join the discussion
  • all 10 users updated right away

    Done and done.
    greywolf7
  • Remind me again..

    what's a 'PlayBook'? Oh wait, it's that junk tablet BlackBerry released with plenty of false promises and left it to die. I remember now.
    AlbertEltawil
    • Untrue assessment.

      The playbook is a fantastic tablet I bought for $100. It does everything i need and the battery lasts forever. It is a fantastic product just like the new phones. However crippled by blowhards such as yourselves that do not even try them before bashing them.
      TheSkiBaron