KB26132-Vulnerability in WebKit browser engine impacts BlackBerry D... http://www.blackberry.com/btsc/microsites/microsite.do?cmd=display...

Vulnerability in WebKit browser engine impacts BlackBerry Device Software version 6.0 and
later
Products
Affected Third-Party Component(s)
Article ID: KB26132
The issue affects the open source WebKit browser engine used in BlackBerry® Device So ware version 6.0 and
later. Type: Security Notice

Affected BlackBerry Products First Published : 03-14-2011

BlackBerry smartphones running BlackBerry Device Software version 6.0 and later Last Modified: 03-15-2011

Non-Affected BlackBerry Products

Product(s) Affected:
BlackBerry Device So ware versions earlier than 6.0
BlackBerry® Bold™
BlackBerry® Enterprise Server 9650 smartphone
BlackBerry® Internet Service BlackBerry® Bold™
BlackBerry® Desktop Manager 9700 smartphone
BlackBerry® Mobile Voice System BlackBerry® Bold™
9780 smartphone
Issue Severity BlackBerry® Curve™
9300 Series
This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 6.8. BlackBerry® Pearl™
9100 Series
Impact
BlackBerry® Style™
A vulnerability exists in the open source WebKit browser engine provided in BlackBerry Device Software version 6.0 and 9670 smartphone
later. The issue could result in remote code execution on affected BlackBerry smartphones. Successful exploitation of the BlackBerry® Torch™
vulnerability requires the user to browse to a website that the attacker has maliciously designed. A successful exploit 9800 smartphone
could allow the attacker to use the BlackBerry Browser to access user data stored on the media card and in the built-in
media storage on the BlackBerry smartphone, but not to access user data that the email, calendar and contact
applications store in the application storage (the internal file system that stores application data and user data) of the
BlackBerry smartphone.

Application storage is the only place on a device from which applications can be run. Sections of application storage can
store files that a user downloads or saves to device memory. Exploitation of the vulnerability does not allow access to
this part of BlackBerry smartphone memory.

View more information about device storage space.

Overview
Research In Motion is aware of recent reports of a vulnerability affecting the implementation of open source WebKit
technology in the BlackBerry Browser in BlackBerry Device Software version 6.0 and later. This security notice
communicates the following key facts:

The exploitation of the vulnerability was performed at the Pwn2Own 2011 Contest and is publicly known.
At the time of release of this security notice, the BlackBerry Security Incident Response Team has not received
any reports that this vulnerability has been successfully exploited on a BlackBerry smartphone outside of a test
environment or has resulted in any impact to BlackBerry customers.
A successful exploit could allow the attacker to use the BlackBerry Browser to access user data stored on the
media card and in the built-in media storage on the BlackBerry smartphone, but not to access user data that the
email, calendar and contact applications store in the application storage (the internal file system that stores
application data and user data) of the BlackBerry smartphone.

Recommendation
Follow the available workarounds documented in this security notice.

Exercise caution when clicking on links to untrusted websites in browsers, email or instant messages.

References
CVE® Identifier: CVE-2011-1290

Workaround

Option 1: Disable JavaScript use in the BlackBerry Browser

Users of BlackBerry Device Software version 6.0 and later can disable the use of JavaScript in the BlackBerry Browser to
prevent exploitation of the vulnerability. The issue is not in JavaScript but the use of JavaScript is necessary to exploit
the vulnerability.

Important: Turning off JavaScript may impact the ability to view web pages, or result in a diminished browsing
experience.

How to disable JavaScript support on a BlackBerry smartphone

Click the name of your BlackBerry smartphone model to view instructions for turning off JavaScript support.

BlackBerry Torch 9800 smartphone

BlackBerry Style 9670 smartphone
BlackBerry Bold 9700 smartphone
BlackBerry Bold 9650 smartphone
BlackBerry Curve 9300 smartphone

1 of 3 3/18/2011 10:59 AM
KB26132-Vulnerability in WebKit browser engine impacts BlackBerry D... http://www.blackberry.com/btsc/microsites/microsite.do?cmd=display...

BlackBerry Pearl 9100 smartphone

How to disable JavaScript support on all BlackBerry smartphones in an enterprise

If you are a BlackBerry Enterprise Server administrator, you can turn off JavaScript support using the Disable JavaScript
in Browser IT policy rule. View the BlackBerry Enterprise Server Policy Reference Guide for more information.

Important: Notify the affected users in your organization that you have made a change that will impact the ability to
view web pages, or result in a diminished browsing experience on BlackBerry smartphones.

Option 2: Disable the BlackBerry Browser

If you are a BlackBerry Enterprise Server administrator, you can disable the BlackBerry Browser on BlackBerry
smartphones in your organization using the Allow Browser IT policy rule and the Allow Other Browser Services IT policy
rule.

To disable the BlackBerry Browser, complete the followings steps in the IT policy or policies:

1. Click Service Exclusivity policy group.

2. Set Allow Other Browser Services to False.
3. Click Global items.
4. Set Allow Browser to False.

View the BlackBerry Enterprise Server Policy Reference Guide for more information on IT policy rules.

View more information about using an IT policy to manage BlackBerry Enterprise Solution security.

Important: If users attempt to use browsing by clicking a link in a message received before you disabled the
BlackBerry Browser, the following dialog will instruct them to contact their service provider to enable the Browser. Notify
the affected users in your organization that you have made a change that will hide the BlackBerry Browser icon on
BlackBerry smartphones and prevent use of browsing using links in messages.

Additional Information

What is WebKit?

WebKit is a browser rendering engine designed to allow browsers to display webpages quickly. Browsers from multiple
vendors on mobile, desktop and laptop platforms implement WebKit technology.

How does a website exploit the vulnerability?

Successful exploitation of the vulnerability requires the user to browse to a website that the attacker has maliciously
designed. The website could be an otherwise legitimate website that the attacker has compromised. An example of a
website that could be compromised is a site that accepts or hosts user-provided HTML content or advertisements.

Can an attacker exploit this vulnerability when I am using email on my BlackBerry

smartphone?

No. The act of sending, receiving, or reading email does not allow an attacker to exploit this vulnerability on your
BlackBerry smartphone.

Is RIM going to issue a software update that fixes this vulnerability?

RIM is investigating the issue to determine the best resolution for protecting BlackBerry smartphone users.

Have any BlackBerry customers been subject to an attack that exploits this vulnerability?

No.

What is CVE?

Common Vulnerabilities and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known
information security vulnerabilities maintained by the MITRE corporation.

What is CVSS?

CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may
be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no
vulnerability) to 10.0 (critical). RIM uses CVSS in vulnerability assessments to present an immutable characterization of
security issues. RIM assigns all security relevant issues a non-zero score.

Where can I read more about BlackBerry security?

Visit www.blackberry.com/security for more information on BlackBerry security.

2 of 3 3/18/2011 10:59 AM
KB26132-Vulnerability in WebKit browser engine impacts BlackBerry D... http://www.blackberry.com/btsc/microsites/microsite.do?cmd=display...

Acknowledgments
RIM acknowledges the following security researchers for reporting this WebKit vulnerability: Vincenzo Iozzo, Ralf Philipp
Weinmann, and Willem Pinckaers (reported via TippingPoint and the Zero Day Initiative).

Change Log
03-15-11

Article updated to include another workaround option (disabling the BlackBerry Browser) and clarify the following
details:

A successful exploit could allow the attacker to access user data stored on the media card and in the built-in
media storage on the BlackBerry smartphone.
A successful exploit could not allow the attacker to access user data that the email, calendar and contact
applications store in the application storage (the internal file system on the BlackBerry smartphone stores
application data and user data).
Application storage is the only place on a device from which applications can be run. Sections of application
storage can store files that a user downloads or saves to device memory.
Exploitation of the vulnerability does not allow access to this part of BlackBerry smartphone memory.

Disclaimer
By downloading, accessing or otherwise using the Knowledge Base documents you agree:

(a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these
documents; and

(b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.

Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.

3 of 3 3/18/2011 10:59 AM