BlackBerry Browser Certificate Vulnerability Brought To Light

http://img39.imageshack.us/img39/729...ercertvuln.png

A new knowledge base article on the BlackBerry web site acknowledges a security vulnerability affecting all current official operating systems. Those being OS's 4.5 through 4.7. Everyone should be aware of this issue.

According to RIM, it is possible to trick a user into thinking they are on a trusted, and secure web site using a null character in the domain certificate when clicking on a link from an email or SMS message. What may appear to be a simple mismatch domain error is an bug that could exploit anyone who is unaware of the vulnerability.

From RIM's article:

"This advisory relates to a BlackBerry Browser dialog box that provides information about web site domain names and their associated certificates. The BlackBerry Browser dialog box informs the BlackBerry device user when there is a mismatch between the site domain name and the domain name indicated in the associated certificate, but does not properly illustrate that the mismatch is due to the presence of some hidden characters (for example, null characters) in the site domain name."

http://img136.imageshack.us/img136/2...rcertvuln2.png

To correct this issue RIM recommends that you upgrade your OS to the latest version. However, and this is a little alarming, it is up the carrier to release the updated OS, which none have done yet. The table below shows which versions are affected and which version you need to upgrade to in order to patch the vulnerability.

http://img121.imageshack.us/img121/9...tvulntable.png

[CIO]

Any information on a leak/download site for any of these OS's Sunkast? 4.7.1 here, and I'm sure some Pearl/Pearl Flip/Curve owners would love to find out.

4.7.179 intresting . great find :hail:::bbos::

It seems as though the releases are "sneaking" out. Several search results in Google for Sprint releasing the OS update.

Sprint 4.7.1.57

Sprint may be releasing .57 soon.

Good thing 5.0 is not on the list :p

Yeah I found a boatload of posts ABOUT it...not sure if it is being pushed to everyone yet. I tried to complete a wireless update via VZW but I get an error. QuickPull and re-checking but I doubt it. I'm running the .53 release that was found the other day. We'll see.

P.S. Thanks for the info Sun! ::bbos::

Quote:

---

Originally Posted by olta777

Good thing 5.0 is not on the list :p

---

Yeah really. If I could ever get my Tour to connect to my PC while I was running 5.0 I would keep it. I get "USB charging is insufficient" on every port, powered hub, and camel in site. I finally was able to wipe it (after about 1 hour on two computers) and revert to .53. But I miss it :1244:

So this isn't having an effect to any of the 5.0 OS's that have been leaked does it? If I read the info right it is only effecting the Official 4.7.1.xx systems is that correct? If so I just might have to download .230 to my wifes phone.

Quote:

---

Originally Posted by cooltech59

So this isn't having an effect to any of the 5.0 OS's that have been leaked does it? If I read the info right it is only effecting the Official 4.7.1.xx systems is that correct? If so I just might have to download .230 to my wifes phone.

---

I miss my 5.0 :( But I was also instructed NOT to load 5.0 on the wife's phone until it's an official release. LOL. I don't want to join Natemz in the "I'm locked out the bedroom" club

Wirelessly posted (storm 9530)

Quote:

---

Originally Posted by TemperamentalMan

Quote:

---

Originally Posted by cooltech59

So this isn't having an effect to any of the 5.0 OS's that have been leaked does it? If I read the info right it is only effecting the Official 4.7.1.xx systems is that correct? If so I just might have to download .230 to my wifes phone.

---

I miss my 5.0 :( But I was also instructed NOT to load 5.0 on the wife's phone until it's an official release. LOL. I don't want to join Natemz in the "I'm locked out the bedroom" club

---

Lol nice Temp!

Quote:

---

Originally Posted by Natemz

Wirelessly posted (storm 9530)



Lol nice Temp!

---

mine could care less

Quote:

---

Originally Posted by TemperamentalMan

I miss my 5.0 :( But I was also instructed NOT to load 5.0 on the wife's phone until it's an official release. LOL. I don't want to join Natemz in the "I'm locked out the bedroom" club

---

:omfg:Yeah it seems you and I discussed this before. I told ya how my wife is. But with this security issue she might ease up. Beside's I'm always in an out of doghouse. Like the song says "Move over ol' dog the new dogs coming in"

Quote:

---

Originally Posted by cooltech59

:omfg:Yeah it seems you and I discussed this before. I told ya how my wife is. But with this security issue she might ease up. Beside's I'm always in an out of doghouse. Like the song says "Move over ol' dog the new dogs coming in"

---

I just put an add-on the bedroom. I even have the vinyl doors LOL

P.S. No problem Natemz!!! LMAO :D

So how many people have called their carrier today?


hahaha :D

good to know :cool:

Wirelessly posted

Calling DNA to see what Telus will do about this! Ill post what they in 30min

I find this to be alarming that carries knew about this problem before it hit the net, yet have failed to release an appropriate upgrade to fix this problem. I will be calling VZW today and voicing my concern.

Hmmm... seems like all carriers would want to get 5.0 out like NOW!!

So wheres the 5.0 leak for the 8320? :)