BlackBerry Forums Support Community

BlackBerry Forums Support Community (http://www.blackberryforums.com/)
-   General BlackBerry Discussion (http://www.blackberryforums.com/general-blackberry-discussion/)
-   -   Critical security vulnerability in BlackBerry Desktop Software (http://www.blackberryforums.com/general-blackberry-discussion/162511-critical-security-vulnerability-blackberry-desktop-software.html)

daphne 11-30-2008 10:40 PM

Critical security vulnerability in BlackBerry Desktop Software
 
Just published 11-28-08

BlackBerry Desktop Software FlexNET Connect ActiveX Control Vulnerability - Secunia Advisories - Vulnerability Intelligence - Secunia.com

Quote:

Secunia Advisory: SA32842
Release Date: 2008-11-28

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch

Software: BlackBerry Desktop Software 4.x

CVE reference: CVE-2007-0328 - Secunia Advisories - Vulnerability Intelligence - Secunia.com

Description:
A vulnerability has been reported in BlackBerry Desktop Software, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to the inclusion of a vulnerable FlexNET Connect ActiveX control.

For more information:
SA25501

The vulnerability is reported in versions 4.2.2 through 4.7.

Solution:
Apply patches. Please see the vendor's advisory for more details.
https://www.blackberry.com/Downloads...93E4F3BB068C22

Original Advisory:
Updating an ActiveX control that the Roxio Media Manager uses

Other References:
SA25501:
Macrovision FLEXnet Connect DWUpdateService ActiveX Control Insecure Methods - Secunia Advisories - Vulnerability Intelligence - Secunia.com

US-CERT VU#524681:
US-CERT Vulnerability Note VU#524681
Advisory from RIM:
Updating an ActiveX control that the Roxio Media Manager uses


Quote:

Environment
BlackBerry® Desktop Software versions 4.2.2 to 4.7
Microsoft® Internet Explorer version (all versions)
--------------------------------------------------------------------------
Overview
The BlackBerry Desktop Manager includes the Roxio® Media Manager for managing media synchronization between the BlackBerry smartphone and the Microsoft® Windows computer. The Roxio Media Manager includes a Microsoft® ActiveX® control used for retrieving and installing application updates. The ActiveX control has the following properties:

ActiveX control property Value
Name DWUpdateService
Class identifier 551E5190-19C7-4626-9D54-FB20355E6467
--------------------------------------------------------------------------

Problem
A buffer overflow exists in the DWUpdateService ActiveX control that could potentially be exploited when a user visits a malicious web page that invokes this control.

Research In Motion (RIM) is tracking this issue as SDR234293.

RIM recommends that you follow the instructions provided here to determine whether your system is affected and where BlackBerry smartphone users can download updated software that addresses the issue.
--------------------------------------------------------------------------

Resolution
Determine whether your system is affected
On the computer on which the BlackBerry Desktop Software is installed, browse to <COMMONFILES>\InstallShield\UpdateService\agent.ex e (on most systems, C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe)
Right-click agent.exe and select Properties.
Click the Version tab and verify the version shown. If the File version is 6.0.100.65100 or earlier, the file is affected and can be protected by upgrading the software.


-------------------------------------------------------------------------

Upgrade the BlackBerry Desktop Software

If the affected version of agent.exe is present on the computer on which the BlackBerry Desktop Software is installed, upgrade to the latest patch for the BlackBerry Desktop Software version 4.5, 4.6, or 4.7.
Note: The minimum BlackBerry Desktop Software version you can install to resolve this issue is 4.5.


Visit https://www.blackberry.com/Downloads...93E4F3BB068C22.
In the drop-down list, select BlackBerry Desktop Software v.4.5, BlackBerry Desktop Software v.4.6, or BlackBerry Desktop Software v.4.7 and click Next.
Choose a BlackBerry Desktop Manager bundle to download that includes the With Media Manager option.
Complete the download process and follow the installation instructions to compete the upgrade process.

OR:
Install a patch from a third-party software vendor
If you do not want to upgrade your BlackBerry Desktop Software, you can install a patch from third-party software vendor Acresso™ Software to address the issue.

Visit kb.roxio.com/content/kb/General%20Information/000072GN to see the related notice from Sonic Solution’s Roxio for more information, and to download and install the FLEXNet® Connect patch from Acresso Software.

Acknowledgements
RIM worked with Sonic Solutions to address the vulnerability, which was identified by US-Computer Emergency Readiness Team Coordination Center (CERT/CC). This article is in reference to US-CERT Advisory VU# 524681.


Additional Information
Visit BlackBerry - BlackBerry Enterprise Solution | Wireless Network Security for Corporate Data for more information on BlackBerry security.

Visit US-CERT Vulnerability Note VU#524681 for the related US-CERT advisory.

Visit kb.roxio.com/content/kb/General%20Information/000072GN to see the related notice from Sonic Solution’s Roxio for more information.
(Bolded text by me)

So the bottom line is that users should check the properties of the file shown in the screenshot here.



If the File version is 6.0.100.65100 or earlier, they need to upgrade Desktop Manager meaning, re-download and install 4.5, 4.6, or 4.7 because RIM has replaced/upgraded the file to a newer version now.

In summary:
If you have BlackBerry Desktop Manager versions 4.2 through 4.7, you should check the file properties shown in the screenshot. To get there, open My Computer > Program Files > Common Files > Install Shield > Update Service. Right click the file 'agent.exe', and click Properties. You can see the file version in the screenshot. My version needs to be updated because its lower than 6.0.100.65100.

Note, the advisory says Note: The minimum BlackBerry Desktop Software version you can install to resolve this issue is 4.5.

That means if you have DM 4.2, you should upgrade to at least 4.5 to fix the vulnerability.

If you have Desktop Manager installed without Roxio, check the file still, but you should not need to upgrade according to my understanding.
Any questions, ask.

dbltap 12-01-2008 07:55 AM

Just a question on this.... Per the data above, this was released on Nov 28th. Yet this morning on the download page the version listed is 4.7.0 B50 and a date of Nov 17, 2008. Should we be looking for a version greater than B50? Or was the fix already in B50? It's a 310 meg download and I don't want to do it again if I already have it.

JSanders 12-01-2008 09:23 AM

Apparently so, I understand from reading the KB article.

tsac 12-01-2008 10:25 AM

Thanks for the info. Looks like the Forum folks found another one.!!

daphne 12-01-2008 10:54 AM

Quote:

Originally Posted by dbltap (Post 1190850)
Just a question on this.... Per the data above, this was released on Nov 28th. Yet this morning on the download page the version listed is 4.7.0 B50 and a date of Nov 17, 2008. Should we be looking for a version greater than B50? Or was the fix already in B50? It's a 310 meg download and I don't want to do it again if I already have it.

It looks like the vulnerability was known for a few weeks prior to the Secunia advisory of 11-28-08. Most likely RIM and the other companies updated their software prior to the advisory being posted on Secunia. This is a common practice when security vulnerabilities are discovered -- the companies are told so it can be fixed before it's publicized. That way miscreants don't have a chance to use it to attack users before there is a patch.

dbltap 12-01-2008 12:27 PM

Well... I got to the system I am running 4.7.0 B50 on and found the agent.exe File version is 6.0.100.65101. So it looks like that version is indeed the updated one even though the download is dated Nov 17.

Moonshadow 12-01-2008 12:29 PM

Wirelessly posted (8130)

You should make this a sticky.

Vertioch 12-01-2008 01:24 PM

I also got this security alert. If you use their link, you can actually grab several different flavors of the Desktop software - including ones without the annoying media manager - which is where the vulnerability exists anyways!

I did install the version w/o the media manager, and unfortunately it doesn't resolve the issue. I manually removed all the files pertaining to the bug after install to make sure the vulnerability is gone. (stupid Macrovision crap anyways...)

KOR 12-01-2008 01:56 PM

Question for Daphne
 
Hi Daphne,

My organization is standardized on Outlook 2000, and from what I'm told by TIM support, DM 4.5 does not support Outlook 2000, only 2003 and up. We have plans to move to 2003 but do not have a definite migration date at this point. Have you heard of anyone else in a similar situation and if so, if and how they resolved the issue?

Thanks & Ciao

strike2tamu 12-01-2008 05:08 PM

I guess I better update to 4.7
After the install my version still reads 6, 0, 100, 54472

raven71 12-01-2008 09:49 PM

Wirelessly posted (BOLD)

I just removed roxio and put just the 4.6 on without it.
I was getting to many lock ups and my internet would not start. I removed Roxio and no problems.
This is the 4th time I have tried the Roxio and will not use it again.

daphne 12-02-2008 01:24 AM

Quote:

Originally Posted by KOR (Post 1191327)
Hi Daphne,

My organization is standardized on Outlook 2000, and from what I'm told by TIM support, DM 4.5 does not support Outlook 2000, only 2003 and up. We have plans to move to 2003 but do not have a definite migration date at this point. Have you heard of anyone else in a similar situation and if so, if and how they resolved the issue?

Thanks & Ciao

Hi KOR,

I believe that is correct that Desktop Manager 4.5 and above do not support Outlook 2000. If you absolutely cannot upgrade Outlook, the safest thing would be to have your users install Desktop Manager 4.2 without Media Manager/Roxio. The PCs should be checked for the presence of the vulnerable shown file in the screenshot and it should be deleted if present.

According to what I read, there have been no instances of the Desktop Manager/Roxio vulnerability being used with exploits so far. That's not to say it couldn't happen, however.

MikQ 12-02-2008 07:41 AM

So... let me get this straight..
Lucky those who deleted their vendor.xml file, right?
They are not suppose to have this problem.. right?
comment me...mock me...anything...

JSanders 12-02-2008 08:10 AM

This has nothing to do with deleting the vendor.xml file.

If you never loaded the Roxio software, you will not have the issue above.

KOR 12-02-2008 08:29 AM

Quote:

Originally Posted by daphne (Post 1192137)
Hi KOR,

I believe that is correct that Desktop Manager 4.5 and above do not support Outlook 2000. If you absolutely cannot upgrade Outlook, the safest thing would be to have your users install Desktop Manager 4.2 without Media Manager/Roxio. The PCs should be checked for the presence of the vulnerable shown file in the screenshot and it should be deleted if present.

According to what I read, there have been no instances of the Desktop Manager/Roxio vulnerability being used with exploits so far. That's not to say it couldn't happen, however.

Daphne,

Thanks for the reply & info. I mentioned this to our guy who sets up PCs and he also pointed out that when he's installed the Roxio piece on machines that they seem to take a lot longer to boot, 'hanging' during the 'applying computer settings'. I've never been all too impressed with this implementation of Roxio and think I will follow your advice. Thanks for the heads up and the assistance.

bcreekski 12-02-2008 09:19 AM

Quote:

Originally Posted by dbltap (Post 1191184)
Well... I got to the system I am running 4.7.0 B50 on and found the agent.exe File version is 6.0.100.65101. So it looks like that version is indeed the updated one even though the download is dated Nov 17.

You have old version. If you read carefully, the info says "If the File version is 6.0.100.65100 or earlier, the file is affected...."

You will still need a newer version. It is not totally clear where this new version is located.

strike2tamu 12-02-2008 12:31 PM

After the upgrade to 4.7 mine still has the low version number.

JSanders 12-02-2008 01:18 PM

Quote:

Originally Posted by bcreekski (Post 1192428)
You have old version. If you read carefully, the info says "If the File version is 6.0.100.65100 or earlier, the file is affected...."

You will still need a newer version. It is not totally clear where this new version is located.

hmmm... 6.0.100.65101 is greater than 6.0.100.65100

bcreekski 12-02-2008 05:24 PM

Thanks for checking my reading and number skills!! I feel dumbed down but will recover. Seriously, I am glad you saw my error.

MikQ 12-06-2008 06:53 AM

Quote:

Originally Posted by JSanders (Post 1192348)
This has nothing to do with deleting the vendor.xml file.

If you never loaded the Roxio software, you will not have the issue above.

Thanks JSanders,
I've upgrade to 4.7 and got 6.0.100.65101
Hope this fixes the vulnerability

Hope your team win this weekend...
If you're not in good mood, blame mriff..
Have fun


All times are GMT -5. The time now is 11:38 PM.

Powered by vBulletin® Version 3.6.12
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.