BlackBerry Browser Certificate Vulnerability Brought To Light
A new knowledge base article on the BlackBerry web site acknowledges a security vulnerability affecting all current official operating systems. Those being OS's 4.5 through 4.7. Everyone should be aware of this issue.
According to RIM, it is possible to trick a user into thinking they are on a trusted, and secure web site using a null character in the domain certificate when clicking on a link from an email or SMS message. What may appear to be a simple mismatch domain error is an bug that could exploit anyone who is unaware of the vulnerability.
From RIM's article:
"This advisory relates to a BlackBerry Browser dialog box that provides information about web site domain names and their associated certificates. The BlackBerry Browser dialog box informs the BlackBerry device user when there is a mismatch between the site domain name and the domain name indicated in the associated certificate, but does not properly illustrate that the mismatch is due to the presence of some hidden characters (for example, null characters) in the site domain name."
To correct this issue RIM recommends that you upgrade your OS to the latest version. However, and this is a little alarming, it is up the carrier to release the updated OS, which none have done yet. The table below shows which versions are affected and which version you need to upgrade to in order to patch the vulnerability.
Last edited by sunkast; 09-29-2009 at 03:56 PM.
Any information on a leak/download site for any of these OS's Sunkast? 4.7.1 here, and I'm sure some Pearl/Pearl Flip/Curve owners would love to find out.
4.7.179 intresting . great find :hail:
It seems as though the releases are "sneaking" out. Several search results in Google for Sprint releasing the OS update.
Sprint may be releasing .57 soon.
Good thing 5.0 is not on the list
Yeah I found a boatload of posts ABOUT it...not sure if it is being pushed to everyone yet. I tried to complete a wireless update via VZW but I get an error. QuickPull and re-checking but I doubt it. I'm running the .53 release that was found the other day. We'll see.
P.S. Thanks for the info Sun!
Yeah really. If I could ever get my Tour to connect to my PC while I was running 5.0 I would keep it. I get "USB charging is insufficient" on every port, powered hub, and camel in site. I finally was able to wipe it (after about 1 hour on two computers) and revert to .53. But I miss it :1244:
Originally Posted by olta777
Tags for this Thread