New Vulnerability Found In BlackBerry's Web Application Loader
Flaw could allow attackers to gain control of the device, researchers warn
Just a few weeks after President Obama won his fight to keep his BlackBerry, the handheld's security is causing concern again.
BlackBerry maker Research In Motion this week is warning users about a newly discovered vulnerability that could potentially enable an attacker to gain remote control of the device or crash its browser.
The flaw was found in the BlackBerry's Web Application Loader, an ActiveX feature that enables the handheld to load new applications via the Internet Explorer browser. RIM says that "an exploitable buffer overflow" exists in the BlackBerry Application Web Loader ActiveX control.
According to an advisory issued by US-CERT, the flaw may be exploited by phishers or other attackers. "By convincing a user to view a specially crafted HTML document, an attacker may be able to execute arbitrary code with the privileges of the user," the advisory says. "The attacker could also cause Internet Explorer to crash."
US-CERT says the vulnerability has been assigned a Common Vulnerability Scoring System rating of 9.3 on a 10-point scale, which means the vulnerability is highly dangerous and potentially easy to exploit.
RIM says users can eliminate the vulnerability by uploading the current, patched version of Web Application Loader, which does not have the flaw. Users can also disable the ActiveX control in their current browsers, the company says.
Less than a month ago, RIM issued patches to repair vulnerabilities in the PDF distiller feature used by the BlackBerry Attachment Service, which helps readers view attachments sent via email. "These vulnerabilities could enable a malicious individual to send an email message containing a specially crafted PDF file, which, when opened for viewing on a BlackBerry smartphone, could cause memory corruption and possibly lead to arbitrary code execution on the computer that hosts the BlackBerry Attachment service," RIM said on Jan. 13.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message
About the Author
You May Also Like
DevSecOps/AWS
Oct 17, 2024Social Engineering: New Tricks, New Threats, New Defenses
Oct 23, 202410 Emerging Vulnerabilities Every Enterprise Should Know
Oct 30, 2024Simplify Data Security with Automation
Oct 31, 2024