Blackberry security: RIM releases patch for buggy ActiveX control
Research iIn Motion has patched a piece of software for Windows PCs that could leave them vulnerable to attack when loading new applications onto BlackBerry devices.
The flaw lies in an ActiveX control used to load third-party applications onto BlackBerrys connected to a PC via a USB cable. An ActiveX control is a small add-on program that works in a Web browser to facilitate the downloading of programs or security updates. However, the controls have been prone to vulnerabilities.
RIM said in an advisory that a vulnerability is introduced to a PC when someone runs the BlackBerry Application Web Loader Version 1.0 ActiveX control with any version of Microsoft's Internet Explorer browser. The advisory contains a link to the patch.
The vulnerability is an exploitable buffer overflow, which is a problem in memory that could allow an unauthorized program to run. RIM didn't give details on how it might be exploited.
However, the U.S. Computer Emergency Readiness Team (CERT) said an attacker could be able to execute arbitrary code with the privileges of a user by getting that user to view a specially-crafted HTML document. It could also cause Internet Explorer to crash, CERT wrote in an advisory.
The problem scores a 9.3 on the Common Vulnerability Scoring System (CVSS), a way to evaluate the danger of a flaw. A score of 10 is considered the most dangerous, and anything above a seven is considered highly severe.
RIM advises that customers apply the patch. In its latest security updates on Tuesday, Microsoft also released a "kill bit" for the affected ActiveX control. A kill bit blocks an ActiveX control from running in Internet Explorer.
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
RIM ActiveX
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
