With the Adobe vulnerability, the attacker would require BlackBerry users to download Flash, which does not come preinstalled on BlackBerry's BB10 or tablet OS. For those with Flash, the vulnerability meant hackers could target Z10, Q10 and PlayBook devices running older versions of its tablet and BB10 OS, using infected webpages containing Flash content or malicious Air applications.
The BlackBerry alert said: "Successful exploitation requires that an attacker craft malicious Adobe Flash content that they must then persuade the customer to access on a webpage, or as a downloaded Adobe Air application. If these specific requirements are met, an attacker could potentially execute arbitrary code in the context of the application that opens the specially crafted Adobe Flash content."
The significance of the libexif vulnerability has also been questioned as it only relates to BlackBerry's PlayBook tablet, a device that boasts woefully low sales even in the enterprise space. BlackBerry confirmed that the vulnerability relates to multiple flaws in the libexif code.
"Multiple vulnerabilities exist in the open-source EXIF tag parsing library (libexif) supplied with affected versions of the BlackBerry PlayBook Tablet OS. The libexif library is an open-source component used for processing EXIF metadata tags embedded in images. Successful exploitation of one or more of these vulnerabilities could result in an attacker executing code in the context of the application that opens the specially crafted image," read the advisory.
"In order to exploit these vulnerabilities, an attacker must craft an image with malformed EXIF data. The attacker must then cause the user to take action to open or save the image, after the image has been displayed in an email message or on a webpage."
The two WebKit vulnerabilities relate to the Z10 and Playbook tablet, though BlackBerry claims neither is currently being exploited by hackers. BlackBerry reported the two meant hackers could theoretically use a malicious JavaScript to mount a remote code execution strike.
Despite being theoretically interesting, the security community has supported BlackBerry's claim that it is unlikely that the vulnerabilities have been exploited by hackers. F-Secure security analyst Sean Sullivan told V3 this is because BlackBerry's robust security and low market share mean it would not be financially worthwhile for criminals to exploit them.
"I don't think this makes for very useful crimeware. Not a good return on investment. However, this could be very useful for espionage efforts. There are probably some vulnerability vendors already sitting on exploits that might be useful to chain to this Flash one. And there are still important people using BlackBerrys. So a targeted attack could be a concern," he said.
Smartphone security has been a growing concern for businesses, though traditionally Google's Android operating system has been the main target. This is because it takes an open approach, allowing coders and developers to tweak it and release products on it outside of official Google marketplaces.
The approach has made it easier to sneak money-making Trojan apps onto Android and is often listed as a key reason why it is the most targeted mobile operating system. Most recently the US Department of Defense issued a report warning that 79 percent of all mobile threats are designed to target Android.
No comments:
Post a Comment