BlackBerry Forums Support Community               

Closed Thread
 
LinkBack Thread Tools
Old 06-21-2009, 03:56 AM   #1 (permalink)
bbt
New Member
 
Join Date: Jun 2009
Model: 8100
PIN: N/A
Carrier: Etisalat
Posts: 1
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Browser Javascript Security Risk

Please Login to Remove!

Backgound:
Reviewing BES IT policy.

Query:
Before configuring the IT policy rules on browser javascript, I would like to know the risk associated with enabling javascript on the blackberry browser assuming that I have already configured following IT policy rules:

Disallow Third Party Application Downloads = TRUE
Allow ThirdParty Use SerialPort = FALSE
Allow Internal Connections = FALSE
Allow External Connections = FALSE
Allow SplitPipe Connections = FALSE

If we allow javascript in browser and the user goes to the website with malicious javascript, will this only result in DOS for the device or it will affect the BES environment or other systems in the corporate network?
Offline  
Old 06-21-2009, 07:54 AM   #2 (permalink)
BlackBerry Master
 
dankarlinski's Avatar
 
Join Date: May 2007
Model: 1
Carrier: 1
Posts: 3,391
Post Thanks: 1
Thanked 2 Times in 2 Posts
Default

Wirelessly posted (MY 8900)

Well, the berry still has yet to be hacked, so even if u went to malicious sites, they couldn't do anything more serious than mayne resdet the device.

And this would all need to be confirmed by the user (in pop-up like dialog boxes)
Offline  
Old 06-24-2009, 01:35 PM   #3 (permalink)
New Member
 
Join Date: Jun 2009
Model: 8330
PIN: N/A
Carrier: Verizon
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default Disagree....

We implemented a BES a while back and I had the exact same question as you bbt.

I ended up disabling JavaScript in browsers.

Yes, it's true that BlackBerrys haven't been hacked in this way......yet. But at some point in the past Windows Mobile had never been hacked either, and the same with with Apple computers, both of which have active exploits out there. All it takes is for people to start targeting them. It's the same to me as saying "I don't wear seatbelts because I have never been in an accident up to this point"

Plus there are already JavaScript exploits for other platforms like Adobe.

(Sorry I had links to the WM, Apple and Adobe claims but im a new poster and can't put links in)

Sure, it's a pain sometimes for users when websites don't appear correctly on their Berrys, but these are company provided phones. As admins we are always faced with having to possibly sacrifice usability for security, but hey if it doesn't affect a users' job THAT much (and it hasn't up to this point), then I like to err on the side of caution.

Plus with BlackBerrys becoming more and more popular with private consumers, I just think it's only a matter of time before people target them too and one day succeed (read seatbelt anaology) and I'd rather be on the correct side of the eight ball.

Last edited by bluscreened : 06-24-2009 at 01:37 PM.
Offline  
Old 06-24-2009, 07:40 PM   #4 (permalink)
BlackBerryForums.com Super Moderator
 
SteveO86's Avatar
 
Join Date: Sep 2007
Location: Florida
Model: 9650
OS: 6.0.0.280
PIN: I heard it drop!
Carrier: VZW BIS
Posts: 6,534
Post Thanks: 0
Thanked 4 Times in 1 Post
Default

I honestly would not worry about it.. The malicious code would have had to been specifically coded to crash a BlackBerry, since it's OS architecture is so different from a Windows OS...

And the second it becomes possible I am sure we will see various Security alerts/patches from RIM and other security groups, not to mention it will probably get some TV time..
__________________
8830 -> 8330 -> 9550 -> 9650
Just think about how far BlackBerries have come from then till now... And what else is coming.

Follow me on Twitter
Offline  
Old 06-24-2009, 10:46 PM   #5 (permalink)
New Member
 
Join Date: Jun 2009
Model: 8330
PIN: N/A
Carrier: Verizon
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

Ehh, comparing Windows to BlackBerry is irrelevant to me. Many people have Windows which means there are many people that hack at it.

My point simply was about exploitation in general, not necessary mass exploitation like seen with Windows. Also, I am fully aware that I am probably overly paranoid in terms of IT security, but it is my motto that if something can be exploited, it will be exploited. And RIMs code is not flawless, which has been proven by the various PDF exploits in the file conversion service on BlackBerry Enterprise Server.

Now with that said, I suppose one could assume that if JavaScript were a threat, it would be under the "Security" sections of an IT policy and not the "Browser" group. Plus RIM's own documentation on securing a BES and BlackBerrys makes no mention of JavaScript
(na.blackberry.com/eng/deliverables/1835/Protecting%20the%20BlackBerry%20device%20platform% 20against%20malware.pdf)

Would anyone happen to know why the "Disable Javascript" option is there if not for security? Are there other reasons a company would want to disable that feature?

On a personal phone, I enable JavaScript because websites can be a pain without it. But in a corporate environment my paranoia can get the best of me.

I like this discussion because I have been going back and forth over whether or not to allow JS on BB browsers.
Offline  
Old 06-25-2009, 07:26 PM   #6 (permalink)
BlackBerryForums.com Super Moderator
 
SteveO86's Avatar
 
Join Date: Sep 2007
Location: Florida
Model: 9650
OS: 6.0.0.280
PIN: I heard it drop!
Carrier: VZW BIS
Posts: 6,534
Post Thanks: 0
Thanked 4 Times in 1 Post
Default

I really think you are being over paranoid (and I mean no offense by it), as far as RIM's PDF issue, yes it's an issue, but it has it ever been reported to actually happen?

I don't think their is an IT policy to disable JS.. May want to check the IT policy reference guide to make sure though.
__________________
8830 -> 8330 -> 9550 -> 9650
Just think about how far BlackBerries have come from then till now... And what else is coming.

Follow me on Twitter
Offline  
Old 06-25-2009, 08:12 PM   #7 (permalink)
New Member
 
Join Date: Jun 2009
Model: 8330
PIN: N/A
Carrier: Verizon
Posts: 3
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default

ehh, when you work on large systems like I do, it pays to be paranoid. May even save your job.

FYI, very few successful intrusion or security related compromises become public knowledge, especially when it's a compromise of a single or a small number of users. I'm afraid it's impossible to say one way or the other whether or not the Adobe exploit has ever happened in a production environment. I don't really see how you can make the assumption it hasn't.

And yes, there is an IT policy to disable JavaScript in browsers because I have JS disabled via an IT policy for my corporate user base. It's pretty much what this thread is about as the OP is wondering if he/she should enable the policy in BES.

Last edited by bluscreened : 06-25-2009 at 08:14 PM.
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On





Copyright 2004-2014 BlackBerryForums.com.
The names RIM and BlackBerry are registered Trademarks of BlackBerry Inc.