BlackBerry Browser Certificate Vulnerability Brought To Light
A new knowledge base article on the BlackBerry web site acknowledges a security vulnerability affecting all current official operating systems. Those being OS's 4.5 through 4.7. Everyone should be aware of this issue.
According to RIM, it is possible to trick a user into thinking they are on a trusted, and secure web site using a null character in the domain certificate when clicking on a link from an email or SMS message. What may appear to be a simple mismatch domain error is an bug that could exploit anyone who is unaware of the vulnerability.
From RIM's article:
"This advisory relates to a BlackBerry Browser dialog box that provides information about web site domain names and their associated certificates. The BlackBerry Browser dialog box informs the BlackBerry device user when there is a mismatch between the site domain name and the domain name indicated in the associated certificate, but does not properly illustrate that the mismatch is due to the presence of some hidden characters (for example, null characters) in the site domain name."
To correct this issue RIM recommends that you upgrade your OS to the latest version. However, and this is a little alarming, it is up the carrier to release the updated OS, which none have done yet. The table below shows which versions are affected and which version you need to upgrade to in order to patch the vulnerability.