View Single Post
Old 11-30-2008, 10:40 PM   #1 (permalink)
daphne
BBF Spam Killer Moderator
 
daphne's Avatar
 
Join Date: May 2007
Location: on a sunny beach
Model: Z
OS: 10.2.1.12
PIN: X1ZPY34K
Carrier: VZW
Posts: 9,165
Post Thanks: 122
Thanked 146 Times in 116 Posts
Default Critical security vulnerability in BlackBerry Desktop Software

Please Login to Remove!

Just published 11-28-08

BlackBerry Desktop Software FlexNET Connect ActiveX Control Vulnerability - Secunia Advisories - Vulnerability Intelligence - Secunia.com

Quote:
Secunia Advisory: SA32842
Release Date: 2008-11-28

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch

Software: BlackBerry Desktop Software 4.x

CVE reference: CVE-2007-0328 - Secunia Advisories - Vulnerability Intelligence - Secunia.com

Description:
A vulnerability has been reported in BlackBerry Desktop Software, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to the inclusion of a vulnerable FlexNET Connect ActiveX control.

For more information:
SA25501

The vulnerability is reported in versions 4.2.2 through 4.7.

Solution:
Apply patches. Please see the vendor's advisory for more details.
https://www.blackberry.com/Downloads...93E4F3BB068C22

Original Advisory:
Updating an ActiveX control that the Roxio Media Manager uses

Other References:
SA25501:
Macrovision FLEXnet Connect DWUpdateService ActiveX Control Insecure Methods - Secunia Advisories - Vulnerability Intelligence - Secunia.com

US-CERT VU#524681:
US-CERT Vulnerability Note VU#524681
Advisory from RIM:
Updating an ActiveX control that the Roxio Media Manager uses


Quote:
Environment
BlackBerry® Desktop Software versions 4.2.2 to 4.7
Microsoft® Internet Explorer version (all versions)
--------------------------------------------------------------------------
Overview
The BlackBerry Desktop Manager includes the Roxio® Media Manager for managing media synchronization between the BlackBerry smartphone and the Microsoft® Windows computer. The Roxio Media Manager includes a Microsoft® ActiveX® control used for retrieving and installing application updates. The ActiveX control has the following properties:

ActiveX control property Value
Name DWUpdateService
Class identifier 551E5190-19C7-4626-9D54-FB20355E6467
--------------------------------------------------------------------------

Problem
A buffer overflow exists in the DWUpdateService ActiveX control that could potentially be exploited when a user visits a malicious web page that invokes this control.

Research In Motion (RIM) is tracking this issue as SDR234293.

RIM recommends that you follow the instructions provided here to determine whether your system is affected and where BlackBerry smartphone users can download updated software that addresses the issue.
--------------------------------------------------------------------------

Resolution
Determine whether your system is affected
On the computer on which the BlackBerry Desktop Software is installed, browse to <COMMONFILES>\InstallShield\UpdateService\agent.ex e (on most systems, C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe)
Right-click agent.exe and select Properties.
Click the Version tab and verify the version shown. If the File version is 6.0.100.65100 or earlier, the file is affected and can be protected by upgrading the software.


-------------------------------------------------------------------------

Upgrade the BlackBerry Desktop Software

If the affected version of agent.exe is present on the computer on which the BlackBerry Desktop Software is installed, upgrade to the latest patch for the BlackBerry Desktop Software version 4.5, 4.6, or 4.7.
Note: The minimum BlackBerry Desktop Software version you can install to resolve this issue is 4.5.


Visit https://www.blackberry.com/Downloads...93E4F3BB068C22.
In the drop-down list, select BlackBerry Desktop Software v.4.5, BlackBerry Desktop Software v.4.6, or BlackBerry Desktop Software v.4.7 and click Next.
Choose a BlackBerry Desktop Manager bundle to download that includes the With Media Manager option.
Complete the download process and follow the installation instructions to compete the upgrade process.

OR:
Install a patch from a third-party software vendor
If you do not want to upgrade your BlackBerry Desktop Software, you can install a patch from third-party software vendor Acresso™ Software to address the issue.

Visit kb.roxio.com/content/kb/General%20Information/000072GN to see the related notice from Sonic Solution’s Roxio for more information, and to download and install the FLEXNet® Connect patch from Acresso Software.

Acknowledgements
RIM worked with Sonic Solutions to address the vulnerability, which was identified by US-Computer Emergency Readiness Team Coordination Center (CERT/CC). This article is in reference to US-CERT Advisory VU# 524681.


Additional Information
Visit BlackBerry - BlackBerry Enterprise Solution | Wireless Network Security for Corporate Data for more information on BlackBerry security.

Visit US-CERT Vulnerability Note VU#524681 for the related US-CERT advisory.

Visit kb.roxio.com/content/kb/General%20Information/000072GN to see the related notice from Sonic Solution’s Roxio for more information.
(Bolded text by me)

So the bottom line is that users should check the properties of the file shown in the screenshot here.



If the File version is 6.0.100.65100 or earlier, they need to upgrade Desktop Manager meaning, re-download and install 4.5, 4.6, or 4.7 because RIM has replaced/upgraded the file to a newer version now.

In summary:
If you have BlackBerry Desktop Manager versions 4.2 through 4.7, you should check the file properties shown in the screenshot. To get there, open My Computer > Program Files > Common Files > Install Shield > Update Service. Right click the file 'agent.exe', and click Properties. You can see the file version in the screenshot. My version needs to be updated because its lower than 6.0.100.65100.

Note, the advisory says Note: The minimum BlackBerry Desktop Software version you can install to resolve this issue is 4.5.

That means if you have DM 4.2, you should upgrade to at least 4.5 to fix the vulnerability.

If you have Desktop Manager installed without Roxio, check the file still, but you should not need to upgrade according to my understanding.
Any questions, ask.
__________________
Report spam text messages to 7726
#BlackBerry by choice #BlacBerry 10 is here!
Offline   Reply With Quote