Research in Motion
against the exploit that was used at the Pwn2Own hacking contest last week.
RIM updated its security
mobile browsers or to disable the browser altogether to prevent remote hackers
from accessing data on the device. The initial security
advisory was posted on March 14
to warn users of the WebKit vulnerability
that was discovered at Pwn2Own at CanSecWest last week.
Pwn2Own pitted security
researchers against four Web browsers and four mobile platforms. A BlackBerry
Torch 9800 running the latest version of the BlackBerry
was cracked because of a vulnerability in the WebKit browser rendering
engine. Since RIM made the switch to WebKit
for its mobile browser fairly recently, the exploit affects only devices
running BlackBerry OS 6 and later.
WebKit is implemented by a
number of mobile and desktop applications, including Apple's iOS and Safari
browser. Pwn2Own contestants also cracked Safari and Microsoft's Internet
Explorer using various WebKit vulnerabilities.
The BlackBerry exploit could
access any user data stored in the media card or built-in storage, although
e-mail, calendar and contacts data are safe, RIM said in its security advisory.
The BlackBerry's applications and application data are stored in a separate area
the exploit can't reach, RIM said.
All BlackBerry users should
be cautious about which Websites they visit using their mobile devices until
the issue has been addressed, RIM said. As an additional precaution, RIM
is necessary to exploit the vulnerability," RIM said. RIM also suggested
disabling the mobile browser entirely as an option.
result in a less than optimal browsing experience since a significant number of
is working on a hotfix, there was no timeline specified in the advisory. It's
also unclear if RIM will rely on carriers to roll out the fix, as that may
further delay when users get the actual patch on their phones.
Oddly enough, RIM said in
its advisory that "the exploitation of the vulnerability was performed at the
Pwn2Own 2011 contest and is publicly known." Under contest rules, security
researchers are forbidden from publicizing the details of the vulnerability or
the exploit used because HP Tipping Point works with the vendor to fix the
flaw. The claim that it is a publicly known exploit is also interesting
considering that according to RIM there have also been no reports to the
BlackBerry Security Incident Response Team about the hack being successfully
exploited outside Pwn2Own's closed environment.
While the exact steps
required to turn off the feature vary by phone model, the basic idea appears to
browser, according to the advisory. The advisory lists instructions for the
BlackBerry Torch 9800, BlackBerry Style 9670, BlackBerry Bold 9700 and 9300,
and BlackBerry Pearl 9100.
IT managers can disable
policy rule on the BlackBerry Enterprise Server management console. The browser
itself can be disabled altogether using the Allow Browser IT policy rule, RIM said.
If the browser is disabled
entirely, the user will no longer have the BlackBerry Browser icon and will not
be able to click on any links or browse to any pages, RIM added as a reminder.