Backgound:
Reviewing BES IT policy.

Query:
Before configuring the IT policy rules on browser javascript, I would like to know the risk associated with enabling javascript on the blackberry browser assuming that I have already configured following IT policy rules:

Disallow Third Party Application Downloads = TRUE
Allow ThirdParty Use SerialPort = FALSE
Allow Internal Connections = FALSE
Allow External Connections = FALSE
Allow SplitPipe Connections = FALSE

If we allow javascript in browser and the user goes to the website with malicious javascript, will this only result in DOS for the device or it will affect the BES environment or other systems in the corporate network?

Wirelessly posted (MY 8900)

Well, the berry still has yet to be hacked, so even if u went to malicious sites, they couldn't do anything more serious than mayne resdet the device.

And this would all need to be confirmed by the user (in pop-up like dialog boxes)

We implemented a BES a while back and I had the exact same question as you bbt.

I ended up disabling JavaScript in browsers.

Yes, it's true that BlackBerrys haven't been hacked in this way......yet. But at some point in the past Windows Mobile had never been hacked either, and the same with with Apple computers, both of which have active exploits out there. All it takes is for people to start targeting them. It's the same to me as saying "I don't wear seatbelts because I have never been in an accident up to this point"

Plus there are already JavaScript exploits for other platforms like Adobe.

(Sorry I had links to the WM, Apple and Adobe claims but im a new poster and can't put links in)

Sure, it's a pain sometimes for users when websites don't appear correctly on their Berrys, but these are company provided phones. As admins we are always faced with having to possibly sacrifice usability for security, but hey if it doesn't affect a users' job THAT much (and it hasn't up to this point), then I like to err on the side of caution.

Plus with BlackBerrys becoming more and more popular with private consumers, I just think it's only a matter of time before people target them too and one day succeed (read seatbelt anaology) and I'd rather be on the correct side of the eight ball.

I honestly would not worry about it.. The malicious code would have had to been specifically coded to crash a BlackBerry, since it's OS architecture is so different from a Windows OS...

And the second it becomes possible I am sure we will see various Security alerts/patches from RIM and other security groups, not to mention it will probably get some TV time..

Ehh, comparing Windows to BlackBerry is irrelevant to me. Many people have Windows which means there are many people that hack at it.

My point simply was about exploitation in general, not necessary mass exploitation like seen with Windows. Also, I am fully aware that I am probably overly paranoid in terms of IT security, but it is my motto that if something can be exploited, it will be exploited. And RIMs code is not flawless, which has been proven by the various PDF exploits in the file conversion service on BlackBerry Enterprise Server.

Now with that said, I suppose one could assume that if JavaScript were a threat, it would be under the "Security" sections of an IT policy and not the "Browser" group. Plus RIM's own documentation on securing a BES and BlackBerrys makes no mention of JavaScript
(na.blackberry.com/eng/deliverables/1835/Protecting%20the%20BlackBerry%20device%20platform% 20against%20malware.pdf)

Would anyone happen to know why the "Disable Javascript" option is there if not for security? Are there other reasons a company would want to disable that feature?

On a personal phone, I enable JavaScript because websites can be a pain without it. But in a corporate environment my paranoia can get the best of me.

I like this discussion because I have been going back and forth over whether or not to allow JS on BB browsers.

I really think you are being over paranoid (and I mean no offense by it), as far as RIM's PDF issue, yes it's an issue, but it has it ever been reported to actually happen?

I don't think their is an IT policy to disable JS.. May want to check the IT policy reference guide to make sure though.

ehh, when you work on large systems like I do, it pays to be paranoid. May even save your job.

FYI, very few successful intrusion or security related compromises become public knowledge, especially when it's a compromise of a single or a small number of users. I'm afraid it's impossible to say one way or the other whether or not the Adobe exploit has ever happened in a production environment. I don't really see how you can make the assumption it hasn't.

And yes, there is an IT policy to disable JavaScript in browsers because I have JS disabled via an IT policy for my corporate user base. It's pretty much what this thread is about as the OP is wondering if he/she should enable the policy in BES.