-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1271
BSRT-2013-008 Vulnerability in Webkit browser engine impacts BlackBerry Z10
            smartphone and BlackBerry PlayBook tablet software
                             12 September 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           BlackBerry Z10 smartphone
                   BlackBerry PlayBook tablet
Publisher:         Blackberry
Operating System:  BlackBerry Device
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-0999  

Reference:         ESB-2013.0788
                   ESB-2013.0705

Original Bulletin: 
   http://www.blackberry.com/btsc/kb34779

- --------------------------BEGIN INCLUDED TEXT--------------------

BSRT-2013-008 Vulnerability in Webkit browser engine impacts BlackBerry Z10 
smartphone and BlackBerry PlayBook tablet software

Article ID: KB34779

Type:   BlackBerry Security Advisory

First Published: 09-10-2013

Last Modified: 09-10-2013

Overview

This advisory addresses a WebKit remote code execution vulnerability that is 
not currently being exploited but affects BlackBerry Z10 smartphone and 
BlackBerry PlayBook tablet customers.  BlackBerry customer risk is limited 
by the BlackBerry 10 OS and the BlackBerry tablet OS design, which restricts 
an application's access to system resources and the private data of other 
applications. Successful exploitation requires an attacker to create a 
malicious website or compromise a legitimate website, and requires that a 
BlackBerry Z10 smartphone or BlackBerry tablet user view a webpage containing 
the malicious JavaScript content.  If the requirements are met for 
exploitation, an attacker could potentially execute code in the BlackBerry 
Browser. After installing the recommended software update, affected BlackBerry 
Z10 customers and BlackBerry tablet customers will be fully protected from 
this vulnerability.

Who should read this advisory?
- - BlackBerry Z10 smartphone users
- - BlackBerry PlayBook tablet users
- - IT administrators who deploy BlackBerry Z10 smartphones in an enterprise
- - IT administrators who deploy BlackBerry PlayBook tablets in an enterprise

Who should apply the software fix(es)?
- - BlackBerry Z10 smartphone users
- - BlackBerry PlayBook tablet users
- - IT administrators who deploy BlackBerry Z10 smartphones in an enterprise
- - IT administrators who deploy BlackBerry PlayBook tablets in an enterprise

More Information

Have any BlackBerry customers been subject to an attack that exploits these 
vulnerabilities?

BlackBerry is not aware of any attacks on, or specifically targeting, 
BlackBerry Z10 smartphone and BlackBerry tablet customers using this 
vulnerability.

What factors affected the release of this security advisory?

This advisory addresses a publicly known WebKit vulnerability. BlackBerry 
publishes full details of a software update in a security advisory after the 
fix is available to the majority of our customers and wireless service provider 
partners. Publishing this advisory ensures that all of our customers can 
protect themselves by either updating their software, employing available 
workarounds or implementing mitigations included in this advisory until the 
software update is available to them. Customers for whom the software update 
is not yet available should contact their wireless service provider to request 
BlackBerry 10 OS version 10.0.10.261 or later and/or BlackBerry Tablet OS 
version 2.1.0.1753 or later.

Where can I read more about BlackBerry Z10 smartphone and BlackBerry PlayBook 
tablet security?

Read the BlackBerry PlayBook Tablet Security Feature Overview and the 
BlackBerry Enterprise Service 10 Security Technical Overview for more 
information on security features in the BlackBerry Z10 smartphone and 
BlackBerry PlayBook tablet.

Where can I read more about the security of BlackBerry products and solutions?

Visit http://us.blackberry.com/business/topics/security.html for more 
information on BlackBerry security.

Affected Software and Resolutions

Customers can read the following lists to determine if their BlackBerry Z10 
smartphone or BlackBerry PlayBook tablet is affected.

Affected Software
- - BlackBerry 10 OS earlier than version 10.0.10.261 except versions 
10.0.9.2709 and 10.0.9.2743
- - BlackBerry PlayBook tablet earlier than version 2.1.0.1753

Non-Affected Software
- - BlackBerry 10 OS version 10.0.9.2743 
- - BlackBerry 10 OS version 10.0.9.2709
- - BlackBerry 10 OS version 10.0.10.261 or later 
- - BlackBerry 10 OS version 10.1 
- - BlackBerry 7 OS and earlier 
- - BlackBerry® PlayBook™ tablet software version 2.1.0.1753

Are BlackBerry smartphones affected?

Yes; only BlackBerry Z10 smartphones running BlackBerry 10 OS earlier than 
version 10.0.10.261 are affected, except versions 10.0.9.2709 and 10.0.9.2743.

Resolution

BlackBerry has issued a fix for this vulnerability, which is included in 
BlackBerry 10 OS versions 10.0.10.261 and later, as well as 10.0.9.2709 and 
10.0.9.2743, and in BlackBerry tablet software version 2.1.0.1753 and later. 
These software updates resolve this vulnerability on affected versions of 
BlackBerry Z10 smartphones and the BlackBerry tablet. Customers should update 
their BlackBerry Z10 smartphone to BlackBerry 10 OS version 10.0.10.261 or 
later and update their BlackBerry tablet software to version 2.1.0.1753 or 
later to be fully protected from this issue.

Note: Customers who are running a BlackBerry 10 OS version earlier than 
10.0.10.261 (except versions 10.0.9.2709 or 10.0.9.2743) and/or a BlackBerry 
tablet OS version earlier than 2.1.0.1753 but do not see a software update 
notification, and whose device indicates that the software is up to date, 
should contact their wireless service provider to request BlackBerry 10 OS 
version 10.0.10.261 or later and/or BlackBerry Tablet OS version 2.1.0.1753 or 
later.

See the Mitigations section of this advisory for information on how to mitigate 
potential risk until the software update is available for all customers.

Update by Accessing the Software Update Notification

BlackBerry Z10 smartphones and BlackBerry PlayBook tablets use notifications to 
keep customers informed about software updates. When a new software update 
notification is available, it appears in the status ribbon at the top of the 
screen on the BlackBerry PlayBook tablet, and within the Notifications section 
of the BlackBerry Hub on a BlackBerry Z10 smartphone. Simply view the 
notifications and follow the steps to access the latest software update
notification and complete the software update.

Manually Check for Software Updates on BlackBerry Z10 smartphones

1. From the home screen, swipe down from the top of the screen.
2. Tap the Settings icon Settings, then Software Updates.
3. Tap Check for Updates.

Manually Check for Software Updates on the BlackBerry PlayBook tablet

1. From the home screen, swipe down from the top of the screen.
2. Tap Software Updates.
3. Tap Check for Updates.

Customers can also update their BlackBerry Z10 smartphone software using 
BlackBerry Link and their BlackBerry tablet software using BlackBerry Desktop 
Software. For more information, see the Help documentation for BlackBerry Link 
or the Help documentation for BlackBerry Desktop Software.

After customers update their software, the screen will indicate that BlackBerry 
10 OS version 10.0.10.261 or later and BlackBerry Tablet OS version 2.1.0.1753 
is installed on the device.

More Information

How can I find out what version of the BlackBerry 10 OS I am running?

For BlackBerry Z10 smartphones:

1. From the home screen, swipe down from the top of the screen.
2. Tap  Settings.
3. Tap About, and view the OS Version or Software Release field in the OS 
settings.

For the BlackBerry PlayBook tablet:

1. From the home screen, swipe down from the top of the screen.
2. Tap About, and view the OS Version.

Are new (still in the box) BlackBerry Z10 smartphones and BlackBerry PlayBook 
tablets exposed to this vulnerability?

During the initial setup process, both the BlackBerry Z10 smartphone and the 
BlackBerry PlayBook tablet will download and install the latest version of the 
OS available from the customer’s carrier. The fix for this vulnerability is 
included in all versions of the BlackBerry Z10 smartphone software after 
version 10.0.10.261, as well as versions 10.0.9.2709 or 10.0.9.2743, and the 
BlackBerry tablet software after 2.1.0.1753.

Note: If customers are running a BlackBerry 10 OS version earlier than 
10.0.10.261 (except versions 10.0.9.2709 or 10.0.9.2743) and/or a BlackBerry 
Tablet OS version earlier than 2.1.0.1753 but do not see a software update 
notification but their device indicates that the software is up to date, 
customers can contact their wireless service provider to request BlackBerry 10 
OS version 10.0.10.261 and/or BlackBerry Tablet OS version 2.1.0.1753 or later.

Are BlackBerry Q10 or Q5 smartphones exposed to this vulnerability?

No. The fix for this vulnerability is included in all versions of the 
BlackBerry Q10 and Q5 smartphone software.

Does the BlackBerry Z10 smartphone and/or BlackBerry PlayBook tablet force me 
to update my software?

No, customer action is required to update the software. BlackBerry Z10 
smartphones and BlackBerry PlayBook tablets use notifications to keep 
customers informed about software updates and provide instructions to help 
customers install a software update. Customers can also manually check for 
software updates. See the Resolution section of this advisory for BlackBerry 
device software update instructions.

Vulnerability Information

A vulnerability exists in the JavaScriptCore component of the open source 
WebKit browser engine included in affected versions of the BlackBerry Z10 
smartphone and BlackBerry PlayBook tablet. The JavaScriptCore component 
interprets and executes JavaScript in the browser. Successful exploitation of 
the vulnerability could result in an attacker executing code  in the context of 
the web browser.

In order to exploit this vulnerability, an attacker must place maliciously 
crafted JavaScript on a website; the website could be an otherwise legitimate 
website that the attacker has compromised. An example of a website that could 
be compromised is a site that accepts or hosts user-provided JavaScript content 
or advertisements. The attacker must then persuade the user to access the 
webpage containing maliciously crafted JavaScript using the BlackBerry Z10 
smartphone and/or the BlackBerry PlayBook tablet’s browser.

This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 
6.8. For a description of the WebKit security issue that this security 
advisory addresses, see the CVE® identifier CVE-2013-0999.

Mitigations

BlackBerry Z10 smartphone and PlayBook

The capabilities and permissions of BlackBerry PlayBook tablet and BlackBerry 
Z10 smartphone applications are restricted using a technique called sandboxing. 
Sandboxing limits the impact of vulnerabilities in applications to the 
confidentiality or integrity of other applications or the private data 
associated with them.

In a web-based attack scenario, an attacker could host a specially crafted 
website that is designed to exploit these vulnerabilities through the 
BlackBerry Browser and then convince a user to view the website, or the 
attacker could take advantage of compromised websites and websites that accept 
or host user-provided content or advertisements. These websites could contain 
specially crafted content that could exploit these vulnerabilities. In all 
cases, however, an attacker would have no way to force users to view the 
attacker-controlled content.

Workarounds

BlackBerry recommends that all users apply the available software update to 
fully protect their BlackBerry Z10 smartphone, and/or BlackBerry PlayBook 
tablets.

All workarounds should be considered temporary measures for customers to 
employ if they cannot install the update immediately or must perform standard 
testing and risk analysis. BlackBerry recommends that customers without these 
requirements install the update to secure their systems.

BlackBerry PlayBook

For users that are unable to upgrade at this time, this risk can be mitigated 
by temporarily disabling the use of JavaScript in the browser on the 
BlackBerry PlayBook tablet (in the browser, tap Options > Content, and set 
Enable JavaScript to Off).
Important: Turning off JavaScript in the browser will impact the ability to 
view content on some web pages, and result in a diminished browsing experience.

Once users have upgraded their BlackBerry tablet software, they can re-enable 
JavaScript content in the browser (in the browser, tap Options > Content, and 
set Enable JavaScript to On).

BlackBerry Z10 smartphone

There are no workarounds for the BlackBerry Z10 smartphone regarding this 
vulnerability. BlackBerry recommends that all users apply the available 
software update to fully protect their BlackBerry Z10 smartphone.

Definitions

CVE

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names 
(CVE Identifiers) for publicly known information security vulnerabilities 
maintained by the MITRE Corporation.

CVSS

CVSS is a vendor agnostic, industry open standard designed to convey the 
severity of vulnerabilities. CVSS scores may be used to determine the urgency 
for update deployment within an organization. CVSS scores can range from 0.0 
(no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability 
assessments to present an immutable characterization of security issues. 
BlackBerry assigns all relevant security issues a non-zero score. Customers 
performing their own risk assessments of vulnerabilities that may impact them 
can benefit from using the same industry-recognized CVSS metrics.

Acknowledgements

BlackBerry acknowledges the following security researcher for reporting 
CVE-2013-0999 through ZDI: pa_kt (twitter.com/pa_kt).

Change Log
09-10-2013

Initial publication.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUjEmpRLndAQH1ShLAQL+sg/9FVW08nlN6Tf07jl3ptmLqwUVsDliGd+B
rGMjNbdChg8Qw0HxrK3d1iLeY9CFflaiCjgwBSbgKl14eeQFJUaral5a5nH5248w
zy3ynr5v7gIslgcZpdFO925a9zNa5Wkv1xjHqZm5DrazQjYpBorEByRIk9IvMHXR
3831E8PE1kWmugx9fthGFy9JYdxfyTv+if/+I50nrMgRw2MQmQDRxnHFQOD3ULc/
N2oO6oQDgh1r9OEOYlRk9xc7zk1rL5temNSWuTMNkzWJ3vGAnTHVdYAF8x9ATQ/h
RfYGYnfLqiesx60H/1Zq9ObYbTYxlt2mc61M1DhsX6q8XdanTqSQsOK7n/DoKqy+
PzSymZeKZr054GRrvIdI+zVlDs9DR8UA60fpEvBdcJXGtCKJyeU2rkTGTEufSpDO
ZiUMUGSOthzkQzFFj8WXiI7/EyJ0rLR8DVJ8Un3RCrV4Aco7m201OnTTxkofJswq
/iyv9Or5iepRUUjhQYsSprGYeUK71OVaaN2rBVu1226DZkODUDO7ZF5DQyg5yjTf
OD5MHOY7u2zhRd9/a9wakgEiEdwCyA3EfmTc5dhBW25VB83TYs42VnihmJPQdjfT
QdfxQ7czDJVVIltG63bYNB1j2WUOACO4NUquEhJpVq2AkvA/rOIh2oYs86+9ydUx
0sOQhAMxgUM=
=FEaF
-----END PGP SIGNATURE-----