RIM Recommends Temporary Action On Pwn2Own Exploit
RIM has recommended that users disable JavaScript entirely on the BlackBerry while it readies a patch
Research in Motion recommended that users disable JavaScript on their mobile browsers to protect against the exploit that was used at the Pwn2Own hacking contest last week.
RIM updated its security advisory on 15 March urging BlackBerry users to disable JavaScript on their mobile browsers or to disable the browser altogether to prevent remote hackers from accessing data on the device. The initial security advisory was posted on March 14 to warn users of the WebKit vulnerability that was discovered at Pwn2Own at CanSecWest last week.
BlackBerry OS 6 and later affected
Pwn2Own pitted security researchers against four web browsers and four mobile platforms. A BlackBerry Torch 9800 running the latest version of the BlackBerry OS 6 was cracked because of a vulnerability in the WebKit browser rendering engine. Since RIM made the switch to WebKit for its mobile browser fairly recently, the exploit affects only devices running BlackBerry OS 6 and later.
WebKit is implemented by a number of mobile and desktop applications, including Apple’s iOS and Safari browser. Pwn2Own contestants also cracked Safari and Microsoft’s Internet Explorer using various WebKit vulnerabilities.
The BlackBerry exploit could access any user data stored in the media card or built-in storage, although email, calendar and contacts data are safe, RIM said in its security advisory. The BlackBerry’s applications and application data are stored in a separate area the exploit can’t reach, RIM said.
All BlackBerry users should be cautious about which websites they visit using their mobile devices until the issue has been addressed, RIM said. As an additional precaution, RIM advised users to disable JavaScript on the mobile browser because “JavaScript is necessary to exploit the vulnerability,” RIM said. RIM also suggested disabling the mobile browser entirely as an option.
Disabling JavaScript will result in a less than optimal browsing experience since a significant number of websites use some kind of JavaScript on their mobile pages, RIM said. While RIM is working on a hotfix, there was no timeline specified in the advisory. It’s also unclear if RIM will rely on carriers to roll out the fix, as that may further delay when users get the actual patch on their phones.
Exploit publicly known
Oddly enough, RIM said in its advisory that “the exploitation of the vulnerability was performed at the Pwn2Own 2011 contest and is publicly known”. Under contest rules, security researchers are forbidden from publicising the details of the vulnerability or the exploit used because HP Tipping Point works with the vendor to fix the flaw. The claim that it is a publicly known exploit is also interesting considering that according to RIM there have also been no reports to the BlackBerry Security Incident Response Team about the hack being successfully exploited outside Pwn2Own’s closed environment.
While the exact steps required to turn off the feature vary by phone model, the basic idea appears to be to uncheck the JavaScript box in the options menu under “Web Content” on the browser, according to the advisory. The advisory lists instructions for the BlackBerry Torch 9800, BlackBerry Style 9670, BlackBerry Bold 9700 and 9300, and BlackBerry Pearl 9100.
IT managers can disable JavaScript enterprise-wide by invoking the Disable JavaScript in Browser IT policy rule on the BlackBerry Enterprise Server management console. The browser itself can be disabled altogether using the Allow Browser IT policy rule, RIM said.
If the browser is disabled entirely, the user will no longer have the BlackBerry Browser icon and will not be able to click on any links or browse to any pages, RIM added as a reminder.