<div style="display:inline;"> <img height="1" width="1" style="border-style:none;" alt="" src="//googleads.g.doubleclick.net/pagead/viewthroughconversion/985356508/?value=0&amp;guid=ON&amp;script=0">

Security is Freedom

Blackberry Users Advised to Turn Off Javascript

Posted by JDavis on 3/24/11 9:05 AM | Estimated Reading Time:

According to Blackberry's manufacturer, Research In Motion (RIM), a vulnerability in the open source WebKit browser engine could make remote code execution possible on some models. If exploited, an attacker would be able to read or write to the built-in media storage section of a BlackBerry or to the media card, but would not gain access to user data that the email, calendar and contact applications stored in the phone. Nonetheless, the manufacturer is recommending that Blackberry users disable Javascript as a precaution.

The vulnerability surfaced during the fifth annual Pwn2Own contest at the 2011 CanSecWest security conference held in Vancouver, British Columbia, Canada. Security researchers Willem Pinckaers and Vincenzo Iozzo demonstrated they could download photos, the contact list, and the BlackBerry Messenger data stored in the file system.

From the Register:

The researchers compared their task of finding and exploiting a Blackberry flaw to finding their way through a labyrinth in the pitch dark because there is virtually no material documenting the internal workings of the Research in Motion handset.

Blackberrys lack some common security measures found in other smartphones. For example, Apple's iPhone and Microsoft's Windows 7 Mobile include address space layout randomization (ASLR) and data execution prevention. Additionally, the Blackberry's application sandbox has been faulted as "rudimentary" by security experts.

From a RIM advisory:

Successful exploitation of the vulnerability requires the user to browse to a website that the attacker has maliciously designed. The attacker would then be able to read or write to the built-in media storage section of a BlackBerry smartphone or to the media card, but not to access user data that the email, calendar and contact applications store in the application storage (the internal file system that stores application data and user data) of the BlackBerry smartphone.

Steps to disable Javascript on Blackberrys can be found here under "Workaround."

Topics: Willem Pinckaers, Microsoft, Javascript, apple, Vincenzo Iozzo, RIM, Windows 7, iphone, Research In Motion, CanSecWest, blackberry, Webkit

Leave A Comment


Subscribe to Mocana ON