Blackberries Need Patching Too

crackberry

Ask one hundred executives what one piece of equipment they couldn’t live a day without and 97 of them will probably say their Blackberry. That the other three will tell you to ask their assistant to get back to you with an answer notwithstanding, the ‘always available’ access to email offered by Blackberries, iPhones, Androids, Windows Mobile, Symbian, and other smartphone platforms has elevated email from an important business application, to a 24×7 mission critical service, and much like electricity, it is expected to just work. Given the importance of email, and the need to maintain these devices, it is absolutely essential to keep up with the security patches released by the vendors.

Last week, Research in Motion released KB26132, which details a significant security vulnerability in the WebKit rendering engine used by the web browser in Blackberry software version 6.0 and later. This was shown at the Pwn2Own 2011 Contest and has been very publicly disclosed. If a user browses to a malicious or compromised website using their Blackberry, they can encounter an exploit that can lead to remote code execution on their device. Exploiting this is accomplished by using JavaScript contained in a website to exploit the vulnerability in the Blackberry’s  browser. JavaScript is not the source of the vulnerability, but is required to exploit it. Exploiting the vulnerability can not only lead to remote code execution, but this code will have read-write access to data stored within the media storage section of the phone’s built-in memory, or any media card inserted into the phone.

A patch to this vulnerability is not available at the time of this writing, so Research In Motion recommends following one of the two workarounds/mitigating actions.

1)      Disable JavaScript in the browser
JavaScript can be disabled on individual phones, or by using the policy rule in the Blackberry Enterprise Server administrative console called Disable JavaScript in Browser. This will reduce the functionality of the browser, so you should make your users aware of this.

2)      Disable the browser
You can also disable the browser completely, on either individual phones or by using the policy rules in the Blackberry Enterprise Server administrative console called Allow Browser IT policy rule and the Allow Other Browser Services IT policy rule. After disabling these rules, the browser will not work, but any older emails containing links, if clicked on, will generate an error indicating the user should contact their IT department. Again, you should make your users aware of this change.

In both cases, if you outsource management of your Blackberry Enterprise Server, you will need to work with your service provider to implement these policies.

Not only is it important to patch Blackberries in your environment, this should also emphasize the importance of adding smartphones to your enterprise patching process. Whether these phones are corporately purchased and maintained, or if users are allowed to use their personal phones to connect to the company’s email system, ensuring that all devices are fully patched and maintained is something you should discuss within your department, and develop a plan for patching corporate systems, and verifying that users are patching their personally owned devices.

Given the challenge of patching equipment the company doesn’t own, I am curious; do you allow users to connect to your email system with personally owned equipment? How do you patch them?

Written by Ed Fisher

An InfoTech professional, aficionado of capsaicin, and Coffea canephora (but not together,) I’ve been getting my geek on full-time since 1993, and have worked with information technology in some capacity since 1986. Stated simply, if you need to get information securely from a to b, I’m your guy. I’m like "The Transporter," but for data, and without the car. And with a little more hair.

2 Comments

  1. Lisa Richardson · March 26, 2011

    It’s a tricky situation – you don’t own the device but since it is within your network and can inflict damage if unpatched, you can’t allow unpatched Blackberries, Androids, etc. wander around. There must be some patch automation for mobiles. I personally don’t know of any such solution but there must be one (or if it still doesn’t exist, I am giving vendors a free idea to make it).

  2. Ed Fisher · March 28, 2011

    You’re right about that Lisa; we’re caught between the rock of users wanting to get to data, and the hard place of patching their equipment. I have read that the next version of SCCM will have some support for mobile devices, but I haven’t seen how to do that for personally owned equipment.

Leave A Reply