In association with heise online

16 March 2011, 12:54

BlackBerry hole: RIM recommends workaround

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

BlackBerry Logo In response to last week's disclosure of an (integer overflow) hole in the BlackBerry browser, Research In Motion (RIM) has recommended that users disable JavaScript. While this doesn't close the hole, it reportedly prevents potential exploits from injecting and executing arbitrary code. However, RIM said that the measure may also hamper the display and interactivity of certain web pages. Alternatively, the company suggests to completely disable the browser. The admins of corporate smartphones can reportedly do so remotely by appropriately configuring the "IT policy rules".

The hole affects the BlackBerry Device Software from version 6.0 on BlackBerry Torch 9800, Style 9670, Bold 9700, Bold 9650, Curve 9300 and Pearl 9100 devices. While the hole in WebKit reportedly allows potential attackers to access a phone's memory card and built-in media storage, RIM says that it doesn't give access to the emails, calendar data and address book entries in the phone's application storage. However, this statement has been contradicted by the Pwn2Own hack, which enabled the contestants not only to read the address book, but also to retrieve images from an internal cache.

Google has already closed the WebKit hole in its Chrome browser; RIM is still working on an update. What's more, Chrome's sandbox would have prevented exploits from accessing the system anyway. BlackBerry devices lack any features such as DEP or ASLR that are offered in modern operating systems to complicate or prevent potential attacks. However, even Apple only recently included ASLR in its iPhones with iOS 4.3.


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit