BlackBerry Forums Support Community
              

Closed Thread
 
Thread Tools
Old 11-30-2008, 11:40 PM   #1
daphne
BBF Spam Killer Moderator
 
daphne's Avatar
 
Join Date: May 2007
Location: on a sunny beach
Model: Paspt
OS: 10.3.0.90
PIN: X1ZPY34K
Carrier: VZW but not for long
Posts: 9,176
Default Critical security vulnerability in BlackBerry Desktop Software

Please Login to Remove!

Just published 11-28-08

BlackBerry Desktop Software FlexNET Connect ActiveX Control Vulnerability - Secunia Advisories - Vulnerability Intelligence - Secunia.com

Quote:
Secunia Advisory: SA32842
Release Date: 2008-11-28

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch

Software: BlackBerry Desktop Software 4.x

CVE reference: CVE-2007-0328 - Secunia Advisories - Vulnerability Intelligence - Secunia.com

Description:
A vulnerability has been reported in BlackBerry Desktop Software, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to the inclusion of a vulnerable FlexNET Connect ActiveX control.

For more information:
SA25501

The vulnerability is reported in versions 4.2.2 through 4.7.

Solution:
Apply patches. Please see the vendor's advisory for more details.
https://www.blackberry.com/Downloads...93E4F3BB068C22

Original Advisory:
Updating an ActiveX control that the Roxio Media Manager uses

Other References:
SA25501:
Macrovision FLEXnet Connect DWUpdateService ActiveX Control Insecure Methods - Secunia Advisories - Vulnerability Intelligence - Secunia.com

US-CERT VU#524681:
US-CERT Vulnerability Note VU#524681
Advisory from RIM:
Updating an ActiveX control that the Roxio Media Manager uses


Quote:
Environment
BlackBerry® Desktop Software versions 4.2.2 to 4.7
Microsoft® Internet Explorer version (all versions)
--------------------------------------------------------------------------
Overview
The BlackBerry Desktop Manager includes the Roxio® Media Manager for managing media synchronization between the BlackBerry smartphone and the Microsoft® Windows computer. The Roxio Media Manager includes a Microsoft® ActiveX® control used for retrieving and installing application updates. The ActiveX control has the following properties:

ActiveX control property Value
Name DWUpdateService
Class identifier 551E5190-19C7-4626-9D54-FB20355E6467
--------------------------------------------------------------------------

Problem
A buffer overflow exists in the DWUpdateService ActiveX control that could potentially be exploited when a user visits a malicious web page that invokes this control.

Research In Motion (RIM) is tracking this issue as SDR234293.

RIM recommends that you follow the instructions provided here to determine whether your system is affected and where BlackBerry smartphone users can download updated software that addresses the issue.
--------------------------------------------------------------------------

Resolution
Determine whether your system is affected
On the computer on which the BlackBerry Desktop Software is installed, browse to <COMMONFILES>\InstallShield\UpdateService\agent.ex e (on most systems, C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe)
Right-click agent.exe and select Properties.
Click the Version tab and verify the version shown. If the File version is 6.0.100.65100 or earlier, the file is affected and can be protected by upgrading the software.


-------------------------------------------------------------------------

Upgrade the BlackBerry Desktop Software

If the affected version of agent.exe is present on the computer on which the BlackBerry Desktop Software is installed, upgrade to the latest patch for the BlackBerry Desktop Software version 4.5, 4.6, or 4.7.
Note: The minimum BlackBerry Desktop Software version you can install to resolve this issue is 4.5.


Visit https://www.blackberry.com/Downloads...93E4F3BB068C22.
In the drop-down list, select BlackBerry Desktop Software v.4.5, BlackBerry Desktop Software v.4.6, or BlackBerry Desktop Software v.4.7 and click Next.
Choose a BlackBerry Desktop Manager bundle to download that includes the With Media Manager option.
Complete the download process and follow the installation instructions to compete the upgrade process.

OR:
Install a patch from a third-party software vendor
If you do not want to upgrade your BlackBerry Desktop Software, you can install a patch from third-party software vendor Acresso™ Software to address the issue.

Visit kb.roxio.com/content/kb/General%20Information/000072GN to see the related notice from Sonic Solution’s Roxio for more information, and to download and install the FLEXNet® Connect patch from Acresso Software.

Acknowledgements
RIM worked with Sonic Solutions to address the vulnerability, which was identified by US-Computer Emergency Readiness Team Coordination Center (CERT/CC). This article is in reference to US-CERT Advisory VU# 524681.


Additional Information
Visit BlackBerry - BlackBerry Enterprise Solution | Wireless Network Security for Corporate Data for more information on BlackBerry security.

Visit US-CERT Vulnerability Note VU#524681 for the related US-CERT advisory.

Visit kb.roxio.com/content/kb/General%20Information/000072GN to see the related notice from Sonic Solution’s Roxio for more information.
(Bolded text by me)

So the bottom line is that users should check the properties of the file shown in the screenshot here.



If the File version is 6.0.100.65100 or earlier, they need to upgrade Desktop Manager meaning, re-download and install 4.5, 4.6, or 4.7 because RIM has replaced/upgraded the file to a newer version now.

In summary:
If you have BlackBerry Desktop Manager versions 4.2 through 4.7, you should check the file properties shown in the screenshot. To get there, open My Computer > Program Files > Common Files > Install Shield > Update Service. Right click the file 'agent.exe', and click Properties. You can see the file version in the screenshot. My version needs to be updated because its lower than 6.0.100.65100.

Note, the advisory says Note: The minimum BlackBerry Desktop Software version you can install to resolve this issue is 4.5.

That means if you have DM 4.2, you should upgrade to at least 4.5 to fix the vulnerability.

If you have Desktop Manager installed without Roxio, check the file still, but you should not need to upgrade according to my understanding.
Any questions, ask.
__________________
Report spam text messages to 7726
#BlackBerry by choice
Offline  
Old 12-01-2008, 08:55 AM   #2
dbltap
Talking BlackBerry Encyclopedia
 
dbltap's Avatar
 
Join Date: Aug 2007
Location: Pflugerville, Tx
Model: 9800
OS: 6.0.0.570
PIN: N/A
Carrier: AT&T
Posts: 382
Default

Just a question on this.... Per the data above, this was released on Nov 28th. Yet this morning on the download page the version listed is 4.7.0 B50 and a date of Nov 17, 2008. Should we be looking for a version greater than B50? Or was the fix already in B50? It's a 310 meg download and I don't want to do it again if I already have it.
Offline  
Old 12-01-2008, 10:23 AM   #3
JSanders
Crimson Tide Moderator
 
JSanders's Avatar
 
Join Date: Oct 2004
Location: North of the moss line
Model: Z30
OS: 7.0sumtin
PIN: t low
Carrier: Verizon
Posts: 41,921
Default

Apparently so, I understand from reading the KB article.
Offline  
Old 12-01-2008, 11:25 AM   #4
tsac
BlackBerry God
 
tsac's Avatar
 
Join Date: Mar 2005
Location: Others run out when we run in
Model: Z10
OS: Cheerios
PIN: No Pin just a Tack
Carrier: at&t
Posts: 10,030
Default

Thanks for the info. Looks like the Forum folks found another one.!!
__________________
Z10 on BES
Z10 on BIS
Offline  
Old 12-01-2008, 11:54 AM   #5
daphne
BBF Spam Killer Moderator
 
daphne's Avatar
 
Join Date: May 2007
Location: on a sunny beach
Model: Paspt
OS: 10.3.0.90
PIN: X1ZPY34K
Carrier: VZW but not for long
Posts: 9,176
Default

Quote:
Originally Posted by dbltap View Post
Just a question on this.... Per the data above, this was released on Nov 28th. Yet this morning on the download page the version listed is 4.7.0 B50 and a date of Nov 17, 2008. Should we be looking for a version greater than B50? Or was the fix already in B50? It's a 310 meg download and I don't want to do it again if I already have it.
It looks like the vulnerability was known for a few weeks prior to the Secunia advisory of 11-28-08. Most likely RIM and the other companies updated their software prior to the advisory being posted on Secunia. This is a common practice when security vulnerabilities are discovered -- the companies are told so it can be fixed before it's publicized. That way miscreants don't have a chance to use it to attack users before there is a patch.
__________________
Report spam text messages to 7726
#BlackBerry by choice
Offline  
Old 12-01-2008, 01:27 PM   #6
dbltap
Talking BlackBerry Encyclopedia
 
dbltap's Avatar
 
Join Date: Aug 2007
Location: Pflugerville, Tx
Model: 9800
OS: 6.0.0.570
PIN: N/A
Carrier: AT&T
Posts: 382
Default

Well... I got to the system I am running 4.7.0 B50 on and found the agent.exe File version is 6.0.100.65101. So it looks like that version is indeed the updated one even though the download is dated Nov 17.
Offline  
Old 12-01-2008, 01:29 PM   #7
Moonshadow
CrackBerry Addict
 
Moonshadow's Avatar
 
Join Date: Jul 2005
Location: Kingston, Ontario
Model: 8130
OS: 4.5.0.131
Carrier: TELUS
Posts: 885
Default

Wirelessly posted (8130)

You should make this a sticky.
__________________
Experience is a wonderful thing. It enables you to recognize a mistake when you make it again

Telus - 8130 - BES/BIS
Offline  
Old 12-01-2008, 02:24 PM   #8
Vertioch
Thumbs Must Hurt
 
Join Date: Nov 2008
Location: Montana
Model: 9530
OS: 4.7.0.85
PIN: N/A
Carrier: Verizon
Posts: 127
Default

I also got this security alert. If you use their link, you can actually grab several different flavors of the Desktop software - including ones without the annoying media manager - which is where the vulnerability exists anyways!

I did install the version w/o the media manager, and unfortunately it doesn't resolve the issue. I manually removed all the files pertaining to the bug after install to make sure the vulnerability is gone. (stupid Macrovision crap anyways...)
Offline  
Old 12-01-2008, 02:56 PM   #9
KOR
CrackBerry Addict
 
KOR's Avatar
 
Join Date: Sep 2005
Model: None
Carrier: Typhoid Mary
Posts: 612
Default Question for Daphne

Hi Daphne,

My organization is standardized on Outlook 2000, and from what I'm told by TIM support, DM 4.5 does not support Outlook 2000, only 2003 and up. We have plans to move to 2003 but do not have a definite migration date at this point. Have you heard of anyone else in a similar situation and if so, if and how they resolved the issue?

Thanks & Ciao
Offline  
Old 12-01-2008, 06:08 PM   #10
strike2tamu
BlackBerry Extraordinaire
 
strike2tamu's Avatar
 
Join Date: Mar 2008
Location: Houston
Model: 8900
OS: 4.6.1
PIN: N/A
Carrier: T-Mobile
Posts: 2,046
Default

I guess I better update to 4.7
After the install my version still reads 6, 0, 100, 54472
__________________
Whoop!
www.twitter.com/strike2tamu

Last edited by strike2tamu; 12-01-2008 at 06:31 PM..
Offline  
Old 12-01-2008, 10:49 PM   #11
raven71
Thumbs Must Hurt
 
Join Date: Mar 2008
Location: NY/LI
Model: BOLD
PIN: 249F7DCD
Carrier: AT&T
Posts: 164
Default

Wirelessly posted (BOLD)

I just removed roxio and put just the 4.6 on without it.
I was getting to many lock ups and my internet would not start. I removed Roxio and no problems.
This is the 4th time I have tried the Roxio and will not use it again.
__________________
Never forget my Brothers & Sisters who gave their lives on 09-11-01. FDNY/EMS/NYPD/PAPD
Offline  
Old 12-02-2008, 02:24 AM   #12
daphne
BBF Spam Killer Moderator
 
daphne's Avatar
 
Join Date: May 2007
Location: on a sunny beach
Model: Paspt
OS: 10.3.0.90
PIN: X1ZPY34K
Carrier: VZW but not for long
Posts: 9,176
Default

Quote:
Originally Posted by KOR View Post
Hi Daphne,

My organization is standardized on Outlook 2000, and from what I'm told by TIM support, DM 4.5 does not support Outlook 2000, only 2003 and up. We have plans to move to 2003 but do not have a definite migration date at this point. Have you heard of anyone else in a similar situation and if so, if and how they resolved the issue?

Thanks & Ciao
Hi KOR,

I believe that is correct that Desktop Manager 4.5 and above do not support Outlook 2000. If you absolutely cannot upgrade Outlook, the safest thing would be to have your users install Desktop Manager 4.2 without Media Manager/Roxio. The PCs should be checked for the presence of the vulnerable shown file in the screenshot and it should be deleted if present.

According to what I read, there have been no instances of the Desktop Manager/Roxio vulnerability being used with exploits so far. That's not to say it couldn't happen, however.
__________________
Report spam text messages to 7726
#BlackBerry by choice
Offline  
Old 12-02-2008, 08:41 AM   #13
MikQ
Knows Where the Search Button Is
 
MikQ's Avatar
 
Join Date: Nov 2008
Location: Jakarta
Model: 8320
OS: 4.5.0.81
PIN: 24817D61
Carrier: telkomsel
Posts: 30
Default

So... let me get this straight..
Lucky those who deleted their vendor.xml file, right?
They are not suppose to have this problem.. right?
comment me...mock me...anything...
Offline  
Old 12-02-2008, 09:10 AM   #14
JSanders
Crimson Tide Moderator
 
JSanders's Avatar
 
Join Date: Oct 2004
Location: North of the moss line
Model: Z30
OS: 7.0sumtin
PIN: t low
Carrier: Verizon
Posts: 41,921
Default

This has nothing to do with deleting the vendor.xml file.

If you never loaded the Roxio software, you will not have the issue above.
Offline  
Old 12-02-2008, 09:29 AM   #15
KOR
CrackBerry Addict
 
KOR's Avatar
 
Join Date: Sep 2005
Model: None
Carrier: Typhoid Mary
Posts: 612
Default

Quote:
Originally Posted by daphne View Post
Hi KOR,

I believe that is correct that Desktop Manager 4.5 and above do not support Outlook 2000. If you absolutely cannot upgrade Outlook, the safest thing would be to have your users install Desktop Manager 4.2 without Media Manager/Roxio. The PCs should be checked for the presence of the vulnerable shown file in the screenshot and it should be deleted if present.

According to what I read, there have been no instances of the Desktop Manager/Roxio vulnerability being used with exploits so far. That's not to say it couldn't happen, however.
Daphne,

Thanks for the reply & info. I mentioned this to our guy who sets up PCs and he also pointed out that when he's installed the Roxio piece on machines that they seem to take a lot longer to boot, 'hanging' during the 'applying computer settings'. I've never been all too impressed with this implementation of Roxio and think I will follow your advice. Thanks for the heads up and the assistance.
Offline  
Old 12-02-2008, 10:19 AM   #16
bcreekski
Thumbs Must Hurt
 
Join Date: Sep 2007
Model: 8830
PIN: N/A
Carrier: Verizon
Posts: 80
Default

Quote:
Originally Posted by dbltap View Post
Well... I got to the system I am running 4.7.0 B50 on and found the agent.exe File version is 6.0.100.65101. So it looks like that version is indeed the updated one even though the download is dated Nov 17.
You have old version. If you read carefully, the info says "If the File version is 6.0.100.65100 or earlier, the file is affected...."

You will still need a newer version. It is not totally clear where this new version is located.
Offline  
Old 12-02-2008, 01:31 PM   #17
strike2tamu
BlackBerry Extraordinaire
 
strike2tamu's Avatar
 
Join Date: Mar 2008
Location: Houston
Model: 8900
OS: 4.6.1
PIN: N/A
Carrier: T-Mobile
Posts: 2,046
Default

After the upgrade to 4.7 mine still has the low version number.
__________________
Whoop!
www.twitter.com/strike2tamu
Offline  
Old 12-02-2008, 02:18 PM   #18
JSanders
Crimson Tide Moderator
 
JSanders's Avatar
 
Join Date: Oct 2004
Location: North of the moss line
Model: Z30
OS: 7.0sumtin
PIN: t low
Carrier: Verizon
Posts: 41,921
Default

Quote:
Originally Posted by bcreekski View Post
You have old version. If you read carefully, the info says "If the File version is 6.0.100.65100 or earlier, the file is affected...."

You will still need a newer version. It is not totally clear where this new version is located.
hmmm... 6.0.100.65101 is greater than 6.0.100.65100
Offline  
Old 12-02-2008, 06:24 PM   #19
bcreekski
Thumbs Must Hurt
 
Join Date: Sep 2007
Model: 8830
PIN: N/A
Carrier: Verizon
Posts: 80
Default

Thanks for checking my reading and number skills!! I feel dumbed down but will recover. Seriously, I am glad you saw my error.
Offline  
Old 12-06-2008, 07:53 AM   #20
MikQ
Knows Where the Search Button Is
 
MikQ's Avatar
 
Join Date: Nov 2008
Location: Jakarta
Model: 8320
OS: 4.5.0.81
PIN: 24817D61
Carrier: telkomsel
Posts: 30
Talking

Quote:
Originally Posted by JSanders View Post
This has nothing to do with deleting the vendor.xml file.

If you never loaded the Roxio software, you will not have the issue above.
Thanks JSanders,
I've upgrade to 4.7 and got 6.0.100.65101
Hope this fixes the vulnerability

Hope your team win this weekend...
If you're not in good mood, blame mriff..
Have fun
Offline  
Closed Thread


Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


45/5 MFD uf Round Dual Run Capacitor HVAC AC 45+5 µF 370-440VAC 50/60Hz 5% picture

45/5 MFD uf Round Dual Run Capacitor HVAC AC 45+5 µF 370-440VAC 50/60Hz 5%

$18.90



GE DIELEKTOL VII 59L129WC48 Capacitor 300KVAR 8320V 95kV 1PH -NIB picture

GE DIELEKTOL VII 59L129WC48 Capacitor 300KVAR 8320V 95kV 1PH -NIB

$425.00



1PCS - C61 4.5uF+5uF+6uF 5 WIRE 250VAC Ceiling Fan Capacitor UL CERTIFIED picture

1PCS - C61 4.5uF+5uF+6uF 5 WIRE 250VAC Ceiling Fan Capacitor UL CERTIFIED

$7.50



10 Pcs 10uF  50V Radial Monolithic Ceramic Capacitors ~ USA Shipping picture

10 Pcs 10uF 50V Radial Monolithic Ceramic Capacitors ~ USA Shipping

$7.49



6.3V 10V 16V 25V 35V 50V 100V 400V SMD Aluminum Electrolytic Capacitor 1-1000 UF picture

6.3V 10V 16V 25V 35V 50V 100V 400V SMD Aluminum Electrolytic Capacitor 1-1000 UF

$155.59



Snap in Electrolytic Capacitor Large Electrolytic Can Capacitor 100uF - 100000uF picture

Snap in Electrolytic Capacitor Large Electrolytic Can Capacitor 100uF - 100000uF

$358.98







Copyright © 2004-2016 BlackBerryForums.com.
The names RIM © and BlackBerry © are registered Trademarks of BlackBerry Inc.