Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • Development
    • Mobile

    RIM Suggests Disabling JavaScript as Temporary Pwn2Own Fix

    By
    Fahmida Y. Rashid
    -
    March 17, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Research in Motion recommended that users disable JavaScript on their mobile browsers to protect against the exploit that was used at the Pwn2Own hacking contest last week.

      RIM updated its security advisory on March 15 urging BlackBerry users to disable JavaScript on their mobile browsers or to disable the browser altogether to prevent remote hackers from accessing data on the device. The initial security advisory was posted on March 14 to warn users of the WebKit vulnerability that was discovered at Pwn2Own at CanSecWest last week.

      Pwn2Own pitted security researchers against four Web browsers and four mobile platforms. A BlackBerry Torch 9800 running the latest version of the BlackBerry OS 6 was cracked because of a vulnerability in the WebKit browser rendering engine. Since RIM made the switch to WebKit for its mobile browser fairly recently, the exploit affects only devices running BlackBerry OS 6 and later.

      WebKit is implemented by a number of mobile and desktop applications, including Apple’s iOS and Safari browser. Pwn2Own contestants also cracked Safari and Microsoft’s Internet Explorer using various WebKit vulnerabilities.

      The BlackBerry exploit could access any user data stored in the media card or built-in storage, although e-mail, calendar and contacts data are safe, RIM said in its security advisory. The BlackBerry’s applications and application data are stored in a separate area the exploit can’t reach, RIM said.

      All BlackBerry users should be cautious about which Websites they visit using their mobile devices until the issue has been addressed, RIM said. As an additional precaution, RIM advised users to disable JavaScript on the mobile browser because “JavaScript is necessary to exploit the vulnerability,” RIM said. RIM also suggested disabling the mobile browser entirely as an option.

      Disabling JavaScript will result in a less than optimal browsing experience since a significant number of Websites use some kind of JavaScript on their mobile pages, RIM said. While RIM is working on a hotfix, there was no timeline specified in the advisory. It’s also unclear if RIM will rely on carriers to roll out the fix, as that may further delay when users get the actual patch on their phones.

      Oddly enough, RIM said in its advisory that “the exploitation of the vulnerability was performed at the Pwn2Own 2011 contest and is publicly known.” Under contest rules, security researchers are forbidden from publicizing the details of the vulnerability or the exploit used because HP Tipping Point works with the vendor to fix the flaw. The claim that it is a publicly known exploit is also interesting considering that according to RIM there have also been no reports to the BlackBerry Security Incident Response Team about the hack being successfully exploited outside Pwn2Own’s closed environment.

      While the exact steps required to turn off the feature vary by phone model, the basic idea appears to be to uncheck the JavaScript box in the options menu under “Web Content” on the browser, according to the advisory. The advisory lists instructions for the BlackBerry Torch 9800, BlackBerry Style 9670, BlackBerry Bold 9700 and 9300, and BlackBerry Pearl 9100.

      IT managers can disable JavaScript enterprise-wide by invoking the Disable JavaScript in Browser IT policy rule on the BlackBerry Enterprise Server management console. The browser itself can be disabled altogether using the Allow Browser IT policy rule, RIM said.

      If the browser is disabled entirely, the user will no longer have the BlackBerry Browser icon and will not be able to click on any links or browse to any pages, RIM added as a reminder.

      Fahmida Y. Rashid
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×