BlackBerry patch BlackBerry 10 Bug that allows Malicious App Installation

0 0

BlackBerry has patched a vulnerability in its BlackBerry 10 devices that could allow an attacker to intercept users’ traffic to and from the BlackBerry World app store and potentially install malware on a targeted device.

The vulnerability is a weakness in the integrity checking system that BlackBerry uses to verify the apps that users download. If an attacker is able to gain a man-in-the-middle position between a user and the BlackBerry World servers, he could replace the legitimate requested app with malware. BlackBerry say that the vulnerability only affects the devices running BlackBerry 10, and recommend updating to the new version of the app as soon as possible.

A vulnerability exists in the BlackBerry World service’s download mechanism, which is used by the BlackBerry World app on affected BlackBerry 10 smartphones. BlackBerry World allows you to search for and download apps for your BlackBerry device. BlackBerry World employs application integrity checking and secure download methods to ensure that the correct app is downloaded and installed. In some cases, a weakness in these methods could allow an attacker, through a man-in-the-middle attack, to intercept a user’s BlackBerry World application download and, as a result, install malware on the device. Successful exploitation of this vulnerability could potentially result in an attacker gaining access to any data or settings that are accessible through the permissions that the user accepted when installing the malicious app.

In order to exploit this vulnerability, an attacker must intercept a user’s application download/update request from BlackBerry World over a compromised network and replace the response from the server with a malicious file. The user must then accept the app permissions and install the malicious application.

The vulnerability affects versions 10.2, 10.2.1 and 10.3 of the BlackBerry World app.

BlackBerry patch BlackBerry 10 Bug that allows Malicious App Installation
  • BlackBerry World impacted versions on BlackBerry 10 smartphones. The impacted versions depend on the BlackBerry 10 OS version, as follows:
BlackBerry 10 OS version Affected BlackBerry World versions:
10.3.0 Versions earlier than 5.1.0.53
10.2.1 Versions earlier than 5.0.0.263
10.2.0 Versions earlier than 5.0.0.262

BlackBerry has issued a fix for this vulnerability, which is included in the specified BlackBerry World resolution versions. The resolution versions depend on the BlackBerry 10 OS version, as follows:

BlackBerry 10 OS version Resolution BlackBerry World versions:
10.3.0 Versions 5.1.0.53 and later
10.2.1 Versions 5.0.0.263 and later
10.2.0 Versions 5.0.0.262 and later

Manually update the BlackBerry World application
You can download BlackBerry World or manually update your existing version of BlackBerry World by visiting www.mobile.blackberry.com from your BlackBerry device or by visiting www.blackberry.com/blackberryworld from a computer.

BlackBerry says that user communications with BlackBerry World now are done over SSL, which can help protect against MITM attacks.

[signoff predefined=”Enjoy this?” icon=”icon-users”][/signoff]

Via