-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0006
            A number of vulnerabilities have been addressed in
                 BlackBerry Z10, Q10 and PlayBook devices
                              15 January 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              BlackBerry Z10 smartphones
                      BlackBerry Q10 smartphones
                      BlackBerry PlayBook tablets
Operating System:     BlackBerry Device
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
                      Denial of Service               -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-2555 CVE-2013-1380 CVE-2013-1379
                      CVE-2013-1378  
Member content until: Friday, February 14 2014
Reference:            ESB-2013.0517
                      ESB-2013.0508

OVERVIEW

        A number of vulnerabilities have been addressed in BlackBerry Z10 
        smartphones, BlackBerry Q10 smartphones, and BlackBerry PlayBook 
        tablets. [1]


IMPACT

        The vendor has provided the following details regarding these 
        issues:
        
        CVE-2013-1378, CVE-2013-1379, CVE-2013-1380, CVE-2013-2555: 
        "Vulnerabilities exist in the Flash Player version supplied with 
        affected versions of the BlackBerry 10 OS and PlayBook OS. The Flash
        Player is a cross-platform, browser-based application runtime.
        
        Successful exploitation of these vulnerabilities could potentially 
        result in an attacker executing code in the context of the 
        application that opens the specially crafted Flash content 
        (typically the web browser). Failed exploitation of this issue might
        result in abnormal or unexpected termination of the application.
        
        In order to exploit these vulnerabilities, an attacker must craft 
        Flash content in a stand-alone Flash (.swf) application or embed 
        Flash content in a website. The attacker must then persuade the user
        to access the Flash content by clicking a link to the content in an
        email message or on a webpage, or loading it as part of an AIR 
        application. The email message could be received at a webmail 
        account that the user accesses in a browser on BlackBerry Z10 and 
        BlackBerry Q10 smartphones and BlackBerry tablets.
        
        These vulnerabilities have a Common Vulnerability Scoring System 
        (CVSS) score of 6.8." [1]


MITIGATION

        BlackBerry has released a fix to correct these issues. [1]


REFERENCES

        [1] BSRT-2014-001 Vulnerabilites in Adobe Flash impact BlackBerry Z10
            and BlackBerry Q10 smartphone and BlackBerry PlayBook tablet
            software
            http://blackberry.com/btsc/KB35565

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUtYcIRLndAQH1ShLAQKUIxAAnDMI3LTf3RC16HtNYH35inaGh2J4ax9/
AU5LAIlWIc9n2A51dosssAmCh5HmGv+Rb8KahbGrxT8mjXGglDPI5PIKFt8pCVP0
v79NIy5MRsWYg8Zkh2e0m11GbQ1+Waf/nOqYy2UmjPykWE+ZVessIuoGTt0/FPV7
FM+hVvmfn4zYfuZAVaBOhrltam+Qe6CdmUbXMRgPzQICqHPVymc1RjR6yCo9GMZK
bBAF0CNyBSEqkVokn9sz48UzSvN9f3UlE7Lv/f1ycnLO8EOcCeTa5H3Rldn+SOFa
elwIixYnZqMmZU8E1eydnQXR2I46NLsaM1OxEq+bpWnPUsUpLU5mEkLyxwu/uphC
Oyo6lM5e0ZlC84fl2RWnTmzEq2kZU+1ReBXr6m7YjOl2UhxeHA6PX2aE07Aymhap
2GqUfYv35ApgnYB4eBvv3OXqYfarmmJ4LId3mrq+y7XhWs/FQDyog95wWrLMFSOK
U7O+N5GCzWFt1KPUD/sGiqUcUSxKNVwOG/CymhkWflSiW4ZSSbEjTEaS2+SbwCUf
PfGM13o6qGqa40qzPS37bV589d0bb5Y8oXhTQ6WHKmwOGiDekYV3SX2BkfUx14Bc
eKND7cHWpJSIipx8FpjhK9PLr1mKJl1JVeki9OKnoqrD21YKZLEhp12Q4NsNraD4
fg3dCax6bpg=
=cjbg
-----END PGP SIGNATURE-----