2 Security Alerts – Blackberry and Adobe

2 alerts are out dealing with vulnerabilities, one for Blackberry and the other for Adobe.

Blackberry


The research firm, Research in Motion (RIM), has taken the step to urge BlackBerry users to disable JavaScript in the smartphone’s browser, this in order to block exploits from a security vulnerability that was brought to the public attention at this year’s CanSecWest Pwn2Own contest. What is the vulnerability? It exists in the open source WebKit browser engine provided in BlackBerry Device Software version 6.0 and later,was exploited to hack into a BlackBerry Torch 9800 smart phone to steal the contact list and image database.

How does the exploit occur?

Successful exploitation requires that the Blackberry user to browse to a website that the attacker has maliciously designed. A hacker can make a successful exploit possible by using the BlackBerry Browser to access user data stored on the media card and in the built-in media storage on the BlackBerry smartphone, but not to access email and other personal information on the file system of the BlackBerry smartphone.

Adobe

Adobe is warning against a different type of attack. This is a zero day attack using Microsoft Excel files and the Flash Player.

Adobe says that the “critical” vulnerability affects the latest versions of Adobe Flash Player for Windows, Mac OS X, Linux, Solaris and Chrome.   It also exists in the authplay.dll component that ships with Adobe Reader and Acrobat X.

Reports are showing that the attacks have been limited so far.  The targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file and delivered as an email attachment.

What does the vulnerability allow?

This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system.  Adobe is not currently aware of attacks targeting Adobe Reader and Acrobat. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing.

So what is being done about it? Adobe expects to ship a patch for Flash Player 10.x and earlier versions for different operating systems including Windows, Mac, Linux, Solaris and Android. The release date of the patch is March 21st.

 

 

 

 

 

 

, ,

Comments are closed.