Blackberry Browser Security issue

[supabrudda]

There's a vunrability been discovered with all native Blackberry browsers (BIS, BES, WAP, WiFi browsers) relating to website security certificates

KB19552

Basically if you visit a website & you a Certificate mis-match warning (which may look the same as the site your visiting), then you should close the browser window & not proceed.
http://www.blackberry.com/btsc/artic...prefix_fix.bmp

I imagine it'll be at least 4-6weeks before carriers release an upgrade to fix this.




Overview

This advisory relates to a BlackBerry browser dialog box that provides information about web site domain names and their associated certificates. The BlackBerry browser dialog box informs the BlackBerry device user when there is a mismatch between the site domain name and the domain name indicated in the associated certificate, but does not properly illustrate that the mismatch is due to the presence of some hidden characters (for example, null characters) in the site domain name.

Note: This issue affects all built-in browsers on affected BlackBerry devices (BlackBerry Browser, Internet Browser, WAP Browser, and Wi-Fi (Hotspot) Browser).

Issue Severity: This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 6.8.

Issue Status: Vulnerability confirmed. Check for software containing the security update based on your wireless service provider. For more information, see the Resolution section.

Recommendation: Complete the resolution actions documented in this advisory.

Mitigation: RIM recommends that BlackBerry device users exercise caution when clicking on links that they receive in email or SMS messages. If a user visits a site that causes a BlackBerry browser dialog box to warn the user about continuing the connection, the user should select Close connection.

Acknowledgements

RIM thanks both Mobile Security Lab and CESG for separately reporting this issue to RIM, and working with RIM to protect its customers.


Impact

A malicious user may be able to deceive a BlackBerry device user into connecting to a web site that is controlled by the malicious user.


Problem

A malicious user could create a web site that includes a certificate that is purposely altered using null (hidden) characters in the certificate's Common Name (CN) field or otherwise manipulated to deceive a BlackBerry device user into believing they have connected to a trusted web site.



If the malicious user then performs a phishing-style attack by sending the BlackBerry device user a link to the web site in an SMS or email message that appears to be from a trusted source, and the BlackBerry device user chooses to access that site, the BlackBerry browser will correctly detect the mismatch between the certificate and the domain name and display a dialog box that prompts the user to close the connection. However, the dialog box does not display null characters, so the user may believe they are connecting to a trusted site and disregard the recommended action to close the connection.

The following screenshot shows an example of a BlackBerry browser dialog box that does not clearly indicate that there is a mismatch between the web server address and its associated certificate
http://www.blackberry.com/btsc/artic...prefix_fix.bmp


Resolution

RIM has issued a software update that resolves this issue in BlackBerry Device Software version 4.5 and later.

To check for available updates for your BlackBerry Device Software, visit BlackBerry - Update your Device Software.

Update to the BlackBerry Device Software applications version for your BlackBerry device model as indicated in the table below to resolve this issue. If the updated applications version indicated is not available, contact your wireless service provider (carrier).

Current applications version


Applications version to update to

Version 4.5.0.x -> Version 4.5.0.173 or later

Version 4.6.0.x -> Version 4.6.0.303 or later

Version 4.6.1.x -> Version 4.6.1.309 or later

Version 4.7.0.x -> Version 4.7.0.179 or later

Version 4.7.1.x -> Version 4.7.1.57 or later

[BESadmin]

RIM Patches BlackBerry Phishing Flaw
1st October 2009
www.informationweek.com

Research In Motion (NSDQ: RIMM) issued a security patch that fixes a vulnerability that potentially leaves BlackBerry users open to phishing attacks.

The flaw enables a malicious coder to trick BlackBerry users into visiting a potentially malicious Web site by making the device think the site is a trusted one. To exploit this, attackers would need to create a site that uses null characters in the certificate's Common Name field. The device detects the mismatch between the domain name and the certificate, but the warning screen doesn't display the hidden character, making the user think the site is trusted.

"The updated BlackBerry device software is designed to depict null characters in the BlackBerry browser dialog box that appears when the user visits a Web site with a certificate that does not match the site domain name," RIM said in a security note. "In the updated BlackBerry device software, the BlackBerry device represents previously hidden null characters with a block, and highlights the non-matching portion of the domain name in bold."

The security flaw was brought to RIM's attention by Mobile Security Labs and CESG, and it impacts various BlackBerry models with the 4.5 version of the operating system or later. Individual users and BlackBerry Enterprise Software managers can check for updates from RIM's Web site, and the company advises BlackBerry users to exercise caution when clicking on links they receive from SMS messages or e-mail.

The mobile platforms have not been a major target of malicious coders, particularly because the wide variety of operating systems makes mobile devices a harder target than Windows desktop machines. But as more users carry sensitive data on their handsets, most industry experts speculate it will only be a matter of time before a widespread mobile virus emerges.