Blackberry released two security bulletins yesterday, fixing flaws in its software for the Blackberry Playbook and Blackberry Z10 smartphone.
BSRT-2013-005 affects both the Z10 and the Playbook and fixes vulnerabilities in the bundled Adobe Flash Player.
This raises an important question in my mind, though. Why on earth has Blackberry launched a new mobile operating system with Flash support, knowing full well the number of vulnerabilities and in the wild attacks against it?
Apple was first to shun Flash while some Android handset makers bragged about Flash support. For about a month. Then Adobe pulled the plug on its own Android package.
This seemed to have resolved the issue and HTML5 was the winner for mobile interactive content. “Winner by default,” or so I thought.
Now you might think it is a “nice to have” so long as Blackberry keeps it up-to-date and makes it easy to apply to your device. Adobe released Flash fixes yesterday too, right?
While that is true, the Flash fixes released by Blackberry yesterday were from back in January. Yes, they fixed the vulnerabilities described in APSB13-01.
I took a look back at fixes for the Playbook and discovered that Blackberry appears to continuously lag about five months behind.
The company released patches for the November and December 2012 Flash updates in May 2013.
Blackberry also released BSRT-2013-006, fixing a vulnerability in its Blackberry Protect application for the Z10 smartphone.
The vulnerability itself seems extremely difficult for an attacker to exploit:
"Successful exploitation requires not only that a customer enable BlackBerry® Protect™, use the feature to reset the device password, and download a specifically crafted malicious app, but also that an attacker gain physical access to the smartphone."
Nevertheless, there are some very important lessons to be learned from this bulletin.
"Unlock the work perimeter... if the work perimeter password is the same as the device password"
"Access any other local and enterprise services for which the legitimate user has used the same password as the smartphone’s password."
Passwords. It always comes back to passwords. An even more difficult problem on smartphones than it is on dekstop and laptop computers.
While Blackberry’s latest OS lets users segregate their work and home lives using “perimeters”, those are only secure if you use different credentials to access each.
Even worse if you use the same password on your phone, your work perimeter, home perimeter and Active Directory credentials, one mistake brings down the whole house of cards.
It may be highly unlikely that you get compromised as a result of this vulnerability, but it is a good reminder on the importance of using unique passwords for each “role” in your life.