Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.1272
BSRT-2013-007 Vulnerabilities in Adobe Flash Player version included with
the BlackBerry Z10 and BlackBerry Q10 and BlackBerry
PlayBook tablet software
12 September 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: BlackBerry Z10
BlackBerry Q10
BlackBerry PlayBook
Publisher: BlackBerry
Operating System: BlackBerry Device
Impact/Access: Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2013-1375 CVE-2013-1374 CVE-2013-1373
CVE-2013-1372 CVE-2013-1371 CVE-2013-1370
CVE-2013-1369 CVE-2013-1368 CVE-2013-1367
CVE-2013-1366 CVE-2013-1365 CVE-2013-0650
CVE-2013-0649 CVE-2013-0648 CVE-2013-0647
CVE-2013-0646 CVE-2013-0645 CVE-2013-0644
CVE-2013-0642 CVE-2013-0639 CVE-2013-0638
CVE-2013-0637 CVE-2013-0634 CVE-2013-0633
Reference: ESB-2013.0289
ESB-2013.0167
Original Bulletin:
http://www.blackberry.com/btsc/KB34774
- --------------------------BEGIN INCLUDED TEXT--------------------
BSRT-2013-007 Vulnerabilities in Adobe Flash Player version included with the
BlackBerry Z10 and BlackBerry Q10 and BlackBerry PlayBook tablet software
Type: BlackBerry Security Advisory
First Published: 09-10-2013
Last Modified: 09-10-2013
Overview
This advisory addresses several Adobe Flash Player remote code execution
vulnerabilities that are not currently being exploited but affect BlackBerry
Z10 and BlackBerry Q10 smartphones and BlackBerry PlayBook tablets. BlackBerry
customer risk is limited by the BlackBerry 10 OS and the BlackBerry tablet OS
design, which restricts an application's access to system resources and the
private data of other applications. Successful exploitation requires that an
attacker craft malicious Adobe Flash content that they must then persuade the
customer to access on a webpage, or as a downloaded Adobe AIR application. If
these specific requirements are met, an attacker could potentially execute
arbitrary code in the context of the application that opens the specially
crafted Adobe Flash content. After installing the latest software update,
BlackBerry Z10, BlackBerry Q10 and BlackBerry PlayBook tablet customers will
be fully protected from these vulnerabilities.
Read the following Adobe security bulletins for further information on the
issue:
- - Adobe Security Bulletin APBS13-04, Security updates available for Adobe
Flash Player
- - Adobe Security Bulletin APBS13-05, Security updates available for Adobe
Flash Player
- - Adobe Security Bulletin APBS13-08, Security updates available for Adobe
Flash Player
- - Adobe Security Bulletin APBS13-09, Security updates available for Adobe
Flash Player
Who should read this advisory?
- - BlackBerry Z10 smartphone users
- - BlackBerry Q10 smartphone users
- - BlackBerry PlayBook tablet users
- - IT administrators who deploy BlackBerry 10 smartphones in an enterprise
- - IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
Who should apply the software fix(es)?
- - BlackBerry Z10 smartphone users
- - BlackBerry Q10 smartphone users
- - BlackBerry PlayBook tablet users
- - IT administrators who deploy BlackBerry Z10 smartphones in an enterprise
- - IT administrators who deploy BlackBerry PlayBook tablets in an enterprise
More Information
Have any BlackBerry customers been subject to an attack that exploits these
vulnerabilities?
BlackBerry is not aware of any attacks on or specifically targeting BlackBerry
Z10 smartphone, BlackBerry Q10 smartphone or BlackBerry PlayBook tablet
customers using these Adobe vulnerabilities.
What factors affected the release of this security advisory?
This advisory addresses publicly known Adobe vulnerabilities. BlackBerry
publishes full details of a software update in a security advisory after the
fix is available to the majority of our customers and wireless service
provider partners. Publishing this advisory ensures that all of our customers
can protect themselves by either updating their software, or employing
available workarounds if updating is not possible. Customers for whom the
software update is not yet available should be aware of the availble
mitigations included in this advisory,and contact their wireless service
provider to request BlackBerry 10 OS version 10.1.0.1720 or later and/or
BlackBerry Tablet OS version 2.1.0.1753 or later.
Where can I read more about BlackBerry Z10 smartphone, BlackBerry Q10
smartphone and BlackBerry PlayBook tablet security?
Read the BlackBerry PlayBook tablet Security Feature Overview and the
BlackBerry Enterprise Service 10 Security Technical Overview for more
information on security features in the BlackBerry PlayBook tablet.
Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit
http://us.blackberry.com/business/topics/security.html.
Affected Software and Resolutions
Customers can read the following lists to determine if their BlackBerry Z10
smartphone, BlackBerry Q10 smartphone or BlackBerry PlayBook tablet are
affected.
Affected Software
- - Adobe Flash Player versions included with BlackBerry 10 OS earlier than
version 10.1.0.1720
- - Adobe Flash Player versions included with BlackBerry PlayBook tablet
software earlier than version 2.1.0.1753
Non-Affected Software
- - BlackBerry 10 OS version 10.1.0.1720 or later
- - BlackBerry 7 OS and earlier
- - BlackBerry PlayBook tablet software version 2.1.0.1753 or later
Are BlackBerry smartphones affected?
Yes.
Resolution
BlackBerry has issued a fix for this vulnerability, which is included in
BlackBerry 10 OS version 10.1.0.1720 and later and BlackBerry PlayBook tablet
software version 2.1.0.1753 and later. These software updates resolve these
Adobe Flash Player vulnerabilities on affected versions of BlackBerry Z10
smartphones, BlackBerry Q10 smartphones and the BlackBerry PlayBook tablet.
Customers should update their BlackBerry Z10 smartphone and/or BlackBerry Q10
smartphone to BlackBerry 10 OS version 10.1.0.1720 or later and/or their
BlackBerry PlayBook tablet software to version 2.1.0.1753 or later to be fully
protected from these issues.
Both the BlackBerry 10 OS update and the BlackBerry PlayBook tablet update
include all previously released security updates for Adobe Flash Player.
Note: If customers are running a BlackBerry Z10 smartphone OS version earlier
than 10.1.0.1720, or a cellular-enabled BlackBerry tablet OS version earlier
than 2.1.0.1753 but do not see a software update notification but their device
indicates that the software is up to date, customers can contact their
wireless service provider to request BlackBerry Z10 smartphone OS version
10.1.0.1720 or BlackBerry Tablet OS version 2.1.0.1753 or later.
See the Mitigations section of this advisory for information on how to
mitigate potential risk until the software update is available for all
customers.
Update by Accessing the Software Update Notification
BlackBerry Z10 smartphones and BlackBerry PlayBook tablets use notifications to
keep customers informed about software updates. When a new software update
notification is available, it appears in the status ribbon at the top of the
screen on the BlackBerry PlayBook tablet, and within the Notifications section
of the BlackBerry Hub on a BlackBerry Z10 smartphone. Simply view the
notifications and follow the steps to access the latest software update
notification and complete the software update.
Manually Check for Software Updates on BlackBerry Z10 smartphones
1. From the home screen, swipe down from the top of the screen.
2. Tap the Settings icon Settings, then Software Updates.
3. Tap Check for Updates.
Manually Check for Software Updates on the BlackBerry PlayBook tablet
1. From the home screen, swipe down from the top of the screen.
2. Tap Software Updates.
3. Tap Check for Updates.
Customers can also update their BlackBerry Z10 smartphone software using
BlackBerry Link and their BlackBerry tablet software using BlackBerry Desktop
Software. For more information, see the Help documentation for BlackBerry Link
or the Help documentation for BlackBerry Desktop Software.
After customers update their software, the screen will indicate that BlackBerry
10 OS version 10.1.0.1720 or later and/or BlackBerry Tablet OS version
2.1.0.1720 or later is installed on the device.
More Information
How can I find out what version of the BlackBerry 10 OS I am running?
For BlackBerry Z10 and BlackBerry Q10 smartphones:
1. From the home screen, swipe down from the top of the screen.
2. Tap the Settings icon Settings.
3. Tap About, and view the OS Version or Software Release field in the General
settings.
For the BlackBerry PlayBook tablet:
1. From the home screen, swipe down from the top of the screen.
2. Tap About, and view the OS Version.
Are new (still in the box) BlackBerry Z10 and BlackBerry Q10 smartphones and
BlackBerry PlayBook tablets exposed to this vulnerability?
As long as the user fully completes the device setup, including the device
software update, the user’s tablet will not be affected. During the initial
setup process, the BlackBerry Z10 smartphone, BlackBerry Q10 smartphone and
the BlackBerry PlayBook tablet will download and install the latest version of
the OS available from the customer’s carrier. The fix for this vulnerability
is included in all versions of the BlackBerry Z10 smartphone software after
version 10.1.0.1720 and the BlackBerry tablet software after 2.1.0.1753.
Note: If customers are running a BlackBerry Z10 smartphone OS version earlier
than 10.1.0.1720, or a cellular-enabled BlackBerry tablet OS version earlier
than 2.1.0.1753 but do not see a software update notification but their device
indicates that the software is up to date, customers can contact their
wireless service provider to request BlackBerry Z10 smartphone OS version
10.1.0.1720 or BlackBerry Tablet OS version 2.1.0.1753 or later.
Is the BlackBerry Q5 smartphone exposed to this vulnerability?
No. The fix for this vulnerability is included in all versions of the
BlackBerry Q5 smartphone software.
Does the BlackBerry Z10 smartphone, BlackBerry Q10 smartphone and/or BlackBerry
PlayBook tablet force me to update my software?
No, your action is required to update the software. Your BlackBerry Z10
smartphone, BlackBerry Q10 smartphone and/or BlackBerry PlayBook tablet use
notifications to keep you informed about software updates and provide
instructions for you to easily install a software update. You can also manually
check for software updates. See the Resolution section of this advisory for
steps to update your software.
Can a BlackBerry Z10 smartphone customer, BlackBerry Q10 smartphone customer
and/or BlackBerry PlayBook tablet customer update Adobe Flash Player without
performing a full OS update?
No. Adobe Flash Player is provided as an integral part of both the BlackBerry
10 OS and the BlackBerry Tablet OS installation, and they must be updated
together.
Can an administrator use BlackBerry Enterprise Server IT policies to disable
Adobe Flash Player on BlackBerry 10 devices and/or BlackBerry PlayBook tablets
in an enterprise?
No, there are no IT policies that an administrator can use to disable Adobe
Flash Player on a BlackBerry Z10 smartphone, BlackBerry Q10 smartphone or the
BlackBerry PlayBook tablet.
Vulnerability Information
Multiple vulnerabilities exist in the Adobe Flash player version included with
affected versions of BlackBerry Z10 smartphone, BlackBerry Q10 smartphone and
BlackBerry PlayBook tablet software.
Successful exploitation of these issues could potentially result in an attacker
being able to execute arbitrary code (that is, achieve RCE) in the context of
the application that opens the specially crafted Adobe Flash content
(typically the web browser). Failed exploitation of this issue might result in
abnormal or unexpected termination of the application.
An attacker must craft Adobe Flash content in a stand-alone Adobe Flash (.swf)
application or embed Adobe Flash content in a website. The attacker must then
persuade the user to access the Adobe Flash content by clicking a link to the
content in an email message or on a webpage or loaded as part of an Adobe AIR
application. The email message could be received at a webmail account that the
user accesses in a browser on a BlackBerry Z10 smartphone, BlackBerry Q10
smartphone and/or the BlackBerry PlayBook tablet.
These vulnerabilities all have a Common Vulnerability Scoring System (CVSS)
score of 6.8. For a description of the Adobe Flash Player security issues that
this security advisory addresses, see the CVE identifiers.
CVE identifier — CVSS Score
CVE-2013-0633 — 6.8
CVE-2013-0634 — 6.8
CVE-2013-0637 — 6.8
CVE-2013-0638 — 6.8
CVE-2013-0639 — 6.8
CVE-2013-0642 — 6.8
CVE-2013-0644 — 6.8
CVE-2013-0645 — 6.8
CVE-2013-0646 — 6.8
CVE-2013-0647 — 6.8
CVE-2013-0648 — 6.8
CVE-2013-0649 — 6.8
CVE-2013-0650 — 6.8
CVE-2013-1365 — 6.8
CVE-2013-1366 — 6.8
CVE-2013-1367 — 6.8
CVE-2013-1368 — 6.8
CVE-2013-1369 — 6.8
CVE-2013-1370 — 6.8
CVE-2013-1371 — 6.8
CVE-2013-1372 — 6.8
CVE-2013-1373 — 6.8
CVE-2013-1374 — 6.8
CVE-2013-1375 — 6.8
Mitigations
BlackBerry PlayBook
These issues are mitigated for all customers by the prerequisite that the
attacker must persuade the customer to access the maliciously crafted Adobe
Flash content by opening the Adobe Flash application or clicking a maliciously
crafted link in an email message or on a web page. The attacker cannot force
the customer to access the content or bypass the requirement that the customer
chooses to access the content. BlackBerry recommends that customers do not
click links in emails received from untrusted sources or within webpages they
are otherwise directed to by untrusted sources, or load Adobe Flash
applications from untrusted sources on the BlackBerry PlayBook tablet.
The capabilities and permissions of BlackBerry PlayBook tablet applications
are heavily restricted using a technique called sandboxing. Sandboxing limits
the impact of vulnerabilities in applications to the confidentiality or
integrity of other applications or the private data associated with them.
BlackBerry Z10 and BlackBerry Q10 smartphone
Adobe Flash is not enabled by default on a BlackBerry Z10 and/or BlackBerry
Q10 smartphone. A customer must enable Adobe Flash to view Flash content
within the browser.
These issues are mitigated for all customers by the prerequisite that the
attacker must persuade the customer to access the maliciously crafted Adobe
Flash content by opening the Adobe Flash application or clicking a maliciously
crafted link in an email message or on a web page. The attacker cannot force
the customer to access the content or bypass the requirement that the customer
chooses to access the content. BlackBerry recommends that customers do not
click links in emails received from untrusted sources or within webpages they
are otherwise directed to by untrusted sources, or load Adobe Flash
applications from untrusted sources on the BlackBerry Z10 smartphone and/or
BlackBerry Q10.
The capabilities and permissions of the BlackBerry Z10 and BlackBerry Q10
smartphone applications are heavily restricted using a technique called
sandboxing. Sandboxing limits the likelihood of impact to the confidentiality
or integrity of other applications or the private data associated with them.
Workarounds
BlackBerry recommends that all customers apply the available software updates
to fully protect their BlackBerry Z10 smartphone, BlackBerry Q10 smartphone
and/or BlackBerry PlayBook tablets.
All workarounds should be considered temporary measures for customers to
employ if they cannot install the update immediately or must perform standard
testing and risk analysis. BlackBerry recommends that customers without these
requirements install the update to secure their systems.
BlackBerry PlayBook tablet
For users that are unable to upgrade at this time, this risk can be mitigated
by temporarily disabling all Adobe Flash content in the browser on the
BlackBerry PlayBook tablet (in the browser, tap Options > Content, and set
Enable Flash to Off).
Important: Turning off Adobe Flash content in the browser will impact the
ability to view content on some web pages, and result in a diminished browsing
experience.
Once users have upgraded their BlackBerry PlayBook tablet software, they can
re-enable Adobe Flash content in the browser (in the browser, tap Options >
Content, and set Enable Flash to On).
BlackBerry Z10 and BlackBerry Q10 smartphone
For users that are unable to upgrade at this time and have enabled Adobe Flash,
this risk can be mitigated by temporarily disabling all Adobe Flash content in
the browser on the BlackBerry Z10 and/or BlackBerry Q10 smartphone (in the
browser, tap Options > > Settings > Display and Actions, and set Adobe Flash
to Off).
Important: Turning off Adobe Flash content in the browser will impact the
ability to view content on some web pages, and result in a diminished browsing
experience.
Once users have upgraded their BlackBerry Z10 and/or BlackBerry Q10 smartphone
software, they can re-enable Adobe Flash content in the browser (in the
browser, tap Options > Settings > Display and Actions, and set Adobe Flash to
On or select Enable Flash in the dialogue that is shown when viewing a webpage
that uses Flash, within the personal browser).
Definitions
CVE
Common Vulnerabilities and Exposures (CVE) is a dictionary of common names
(CVE Identifiers) for publicly known information security vulnerabilities
maintained by the MITRE Corporation.
CVSS
CVSS is a vendor agnostic, industry open standard designed to convey the
severity of vulnerabilities. CVSS scores may be used to determine the urgency
for update deployment within an organization. CVSS scores can range from 0.0
(no vulnerability) to 10.0 (critical). BlackBerry uses CVSS in vulnerability
assessments to present an immutable characterization of security issues.
BlackBerry assigns all relevant security issues a non-zero score. Customers
performing their own risk assessments of vulnerabilities that may impact them
can benefit from using the same industry-recognized CVSS metrics.
Change Log
09-10-2013
Initial publication.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUjE1qBLndAQH1ShLAQIcfhAApgqqKRwwZQkhbRkSoleSW0vBjH11D8e7
SYiOkNl97Vg8jh2U0KMR31dDcFpjZzabK5BboNy0kXjP8j1S1tQeR0EspvQvdaHr
6Cxrs9mMnQLMKsxDvJfFvdOjnQfHARxyN6QgTMYavQyxpzKu+itTOYKudKcweiOu
AL34T9WqpFKcWFyr5snXeNCWNLJK8m0VaHmjPpdSZK3l7zzuzNiK2ljkBWh1bsSw
NOzxWJ6WDRlkg7E66pqQjyA4xF2e7um8EVv1URgMCaZrZzgrNwtttd0XBA5kF+h5
VpGkaPHW22ugUK+oF+EnhyM5/dOXCr6vQsF5lES3BbopZuCmNVP1W1fh/rHHKJAu
bT8Ot5itkh/d3CkCt5F9/k162BKcuiolSkDhDpgJm189wf7CxMRPOOKqCPK6MwnT
T9VZew6hruBm/4uz6pjYcQ9TALAMEQiQ1lBM3uw3S2NPxOvDzCyaNKEe7k0IgS82
OThyqXbfzy8ON+fKBTY/g7OXKrTWsLDine+mlmYve69ikPKJp1MV26WSz1CKT7Su
cHah42J1U7TLbGy/UomVdfEQGSlDFtZD6OBWmJ/z/6IucK5TzobthZK+t09cHaTU
cvBn2J7Wee/5T5GPLYT43p8teNN2lYd5s46kGUmhY9zU4qX2v1IycrcPJXo4WWJ3
qgyzkfPfP9w=
=qvNm
-----END PGP SIGNATURE-----