Attacks/Breaches
12/7/2011
11:20 AM
Eric Zeman
Eric Zeman
Commentary
50%
50%

RIM's PlayBook Security Patch Doesn't Last Long

Research In Motion hoped to close a security breach with a software update to its PlayBook tablet, but coders cracked the patch in only a few hours.

Research In Motion provided a system update to the BlackBerry PlayBook tablet late Tuesday. According to the changelog, the primary purpose of the update was to plug a security hole being exploited by the Dingleberry Playbook jailbreak tool.

The log said that version 1.0.8.6067, which is only 5 MB in size, "offers support for Flash 10.3 and updates to Adobe AIR to support developers in addition to DST and security fixes."

Researchers had recently released a tool--called Dingleberry--that unlocks the PlayBook, a first for RIM's tablet, which included government-grade security features. Once unlocked, PlayBook users are granted access to the entire PlayBook codebase, allowing them to do a lot more with it than through the generally available tools.

For example, the Android Market--and its hundreds of thousands of apps--is available for the first time on the PlayBook. While RIM is still developing PlayBook OS 2.0, which will bring support for Android apps in an emulator, impatient PlayBook owners can dive in now if they don't mind cracking the tablet's code. (The patch isn't yet available to developers already using the PlayBook OS 2.0 beta.)

[ No doubt, RIM's had a bad year. Will RIM Make It To 2013? ]

RIM responded to the news of a jailbreak for its beleaguered tablet. "RIM will follow its standard response process to develop and release a software update that is designed to minimize adverse impact to our customers or carrier partners," RIM said in a statement last week. "RIM is aware that the security researchers have stated they intend to release a tool to jailbreak the BlackBerry PlayBook tablet. If such a tool is released, RIM will investigate it."

As stated, the security patch was able to close up the breach discovered by the Dingleberry developers--but not for long.

Chris Wade, one of the researchers behind the rooting tool, released a new version of Dingleberry that uses a different exploit to punch through the PlayBook's security to achieve jailbreak.

RIM has yet to make any statements about the new jailbreak, but surely it is cursing and already looking at ways to plug the new hole.

Earlier this year, the PlayBook was awarded FIPS certification by the National Institute of Standards and Technology (NIST). It is the only tablet that has received this level of security certification.

FIPS certification is required for devices to be used by the federal government. This clears the PlayBook for use by government agencies, and means the PlayBook meets RIM's own stringent security requirements for features such as native email and contact management.

RIM has to stand by the PlayBook, especially with respect to security. I'd expect RIM to distribute a new security update as quickly as it can.

Database access controls keep information out of the wrong hands. Limit who sees what to stop leaks--accidental and otherwise. Also in the new, all-digital Dark Reading supplement: Why user provisioning isn't as simple as it sounds. Download the supplement now. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2037
Published: 2014-11-26
Openswan 2.6.40 allows remote attackers to cause a denial of service (NULL pointer dereference and IKE daemon restart) via IKEv2 packets that lack expected payloads. NOTE: this vulnerability exists because of an incomplete fix for CVE 2013-6466.

CVE-2014-6609
Published: 2014-11-26
The res_pjsip_pubsub module in Asterisk Open Source 12.x before 12.5.1 allows remote authenticated users to cause a denial of service (crash) via crafted headers in a SIP SUBSCRIBE request for an event package.

CVE-2014-6610
Published: 2014-11-26
Asterisk Open Source 11.x before 11.12.1 and 12.x before 12.5.1 and Certified Asterisk 11.6 before 11.6-cert6, when using the res_fax_spandsp module, allows remote authenticated users to cause a denial of service (crash) via an out of call message, which is not properly handled in the ReceiveFax dia...

CVE-2014-7141
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and crash) via a crafted type in an (1) ICMP or (2) ICMP6 packet.

CVE-2014-7142
Published: 2014-11-26
The pinger in Squid 3.x before 3.4.8 allows remote attackers to obtain sensitive information or cause a denial of service (crash) via a crafted (1) ICMP or (2) ICMP6 packet size.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?