Critical security vulnerability in BlackBerry Desktop Software
 

Just published 11-28-08

BlackBerry Desktop Software FlexNET Connect ActiveX Control Vulnerability - Secunia Advisories - Vulnerability Intelligence - Secunia.com

Advisory from RIM:
Updating an ActiveX control that the Roxio Media Manager uses


(Bolded text by me)

So the bottom line is that users should check the properties of the file shown in the screenshot here.

http://www.spywarewarrior.com/media/properties.jpg

If the File version is 6.0.100.65100 or earlier, they need to upgrade Desktop Manager meaning, re-download and install 4.5, 4.6, or 4.7 because RIM has replaced/upgraded the file to a newer version now.

In summary:
If you have BlackBerry Desktop Manager versions 4.2 through 4.7, you should check the file properties shown in the screenshot. To get there, open My Computer > Program Files > Common Files > Install Shield > Update Service. Right click the file 'agent.exe', and click Properties. You can see the file version in the screenshot. My version needs to be updated because its lower than 6.0.100.65100.

Note, the advisory says Note: The minimum BlackBerry Desktop Software version you can install to resolve this issue is 4.5.

That means if you have DM 4.2, you should upgrade to at least 4.5 to fix the vulnerability.

If you have Desktop Manager installed without Roxio, check the file still, but you should not need to upgrade according to my understanding.
Any questions, ask.

Just a question on this.... Per the data above, this was released on Nov 28th. Yet this morning on the download page the version listed is 4.7.0 B50 and a date of Nov 17, 2008. Should we be looking for a version greater than B50? Or was the fix already in B50? It's a 310 meg download and I don't want to do it again if I already have it.

Apparently so, I understand from reading the KB article.

Thanks for the info. Looks like the Forum folks found another one.!!

It looks like the vulnerability was known for a few weeks prior to the Secunia advisory of 11-28-08. Most likely RIM and the other companies updated their software prior to the advisory being posted on Secunia. This is a common practice when security vulnerabilities are discovered -- the companies are told so it can be fixed before it's publicized. That way miscreants don't have a chance to use it to attack users before there is a patch.

Well... I got to the system I am running 4.7.0 B50 on and found the agent.exe File version is 6.0.100.65101. So it looks like that version is indeed the updated one even though the download is dated Nov 17.

Wirelessly posted (8130)

You should make this a sticky.

I also got this security alert. If you use their link, you can actually grab several different flavors of the Desktop software - including ones without the annoying media manager - which is where the vulnerability exists anyways!

I did install the version w/o the media manager, and unfortunately it doesn't resolve the issue. I manually removed all the files pertaining to the bug after install to make sure the vulnerability is gone. (stupid Macrovision crap anyways...)

Question for Daphne
 

Hi Daphne,

My organization is standardized on Outlook 2000, and from what I'm told by TIM support, DM 4.5 does not support Outlook 2000, only 2003 and up. We have plans to move to 2003 but do not have a definite migration date at this point. Have you heard of anyone else in a similar situation and if so, if and how they resolved the issue?

Thanks & Ciao

I guess I better update to 4.7
After the install my version still reads 6, 0, 100, 54472

Wirelessly posted (BOLD)

I just removed roxio and put just the 4.6 on without it.
I was getting to many lock ups and my internet would not start. I removed Roxio and no problems.
This is the 4th time I have tried the Roxio and will not use it again.

Hi KOR,

I believe that is correct that Desktop Manager 4.5 and above do not support Outlook 2000. If you absolutely cannot upgrade Outlook, the safest thing would be to have your users install Desktop Manager 4.2 without Media Manager/Roxio. The PCs should be checked for the presence of the vulnerable shown file in the screenshot and it should be deleted if present.

According to what I read, there have been no instances of the Desktop Manager/Roxio vulnerability being used with exploits so far. That's not to say it couldn't happen, however.

So... let me get this straight..
Lucky those who deleted their vendor.xml file, right?
They are not suppose to have this problem.. right?
comment me...mock me...anything...

This has nothing to do with deleting the vendor.xml file.

If you never loaded the Roxio software, you will not have the issue above.

Daphne,

Thanks for the reply & info. I mentioned this to our guy who sets up PCs and he also pointed out that when he's installed the Roxio piece on machines that they seem to take a lot longer to boot, 'hanging' during the 'applying computer settings'. I've never been all too impressed with this implementation of Roxio and think I will follow your advice. Thanks for the heads up and the assistance.

You have old version. If you read carefully, the info says "If the File version is 6.0.100.65100 or earlier, the file is affected...."

You will still need a newer version. It is not totally clear where this new version is located.

After the upgrade to 4.7 mine still has the low version number.

hmmm... 6.0.100.65101 is greater than 6.0.100.65100

Thanks for checking my reading and number skills!! I feel dumbed down but will recover. Seriously, I am glad you saw my error.

Thanks JSanders,
I've upgrade to 4.7 and got 6.0.100.65101
Hope this fixes the vulnerability

Hope your team win this weekend...
If you're not in good mood, blame mriff..
Have fun