BlackBerry releases BB10 fixes for old Flash flaws

BlackBerry is rolling out fixes for dozens of flaws affecting software and components in Q10, Z10 smartphones and its PlayBook tablet.

Anyone with a BlackBerry Q10, Z10 or PlayBook should probably apply security updates, released this week, which fix dozens of publicly known flaws affecting Flash that Adobe released patches for on other platforms back in February.

BlackBerry opted to support Flash on its mobile devices even as others like Apple turned their back on the media player, but the company seems to be taking a long time to fix serious remote execution flaws in the software.

Read this

What would Microsoft get by buying BlackBerry? What would Microsoft get by buying BlackBerry? As soon as Microsoft revealed it is buying Nokia's phone business the suggestions started that maybe Microsoft should snap up BlackBerry as well. But would that even make sense?

According to a BlackBerry security advisory, an update for BB 10 OS smartphones and PlayBook devices was published on Tuesday to address 24 flaws affecting Flash — vulnerabilities that Adobe dealt with on other platforms with four bulletins released in February and March this year. 

Attacks exploiting the flaws can be launched via maliciously crafted Flash applications or embedded Flash content on a website. However, the risk is lower on Q10 and Z10 devices since, as BlackBerry notes, Flash is disabled by default, though that's not the case for PlayBook devices.

The software update targets Z10 and Q10 smartphones up to version or later, while for PlayBooks it's those running software versions before

BlackBerry has also released fixes under two separate advisories for flaws affecting the Webkit browser engine on BlackBerry Z10 smartphones, one of which also impacts the PlayBook.

Z10 owners running a version of BB 10 OS earlier than are exposed to a publicly known flaw in the JavaScriptCore component of the WebKit browser engine, which can be exploited in a drive by attack to execute code in the web browser, according to the advisory

In other words, to be exposed to the threat, a hacker would need to plant a maliciously crafted JavaScript on a compromised website and trick the Z10 owner into visiting the site.

A second advisory details a similar WebKit flaw that affects both the Z10 and PlayBook, which can similarly be exploited through a malicious JavaScript hosted on a website to execute code in the browser.

Z10 devices running a version of BB 10 OS earlier than except versions and are affected. PlayBook devices running versions earlier than are also affected. BlackBerry said it was not aware of any attacks that use the flaw in either advisory.

Finally, BlackBerry has a fix for eight vulnerabilities in the libex library, a component used in PlayBook devices to process metadata tags embedded in images.

Hackers can exploit anyone of the flaws to execute code in an application that opens an attack image file, though BlackBerry was not aware of any attacks in the wild.

The attacker would need to convince the victim to open or save a booby-trapped image after it has been displayed in an email or a webpage. Customers running OS version and earlier should apply the update that carries them forward to version, which is not affected. 

Further reading

Show Comments