ID: 3756
Date: 11/02/2009
Title: 3756 - Vulnerability exists in BlackBerry Application Web Loader ActiveX control
Platform level affected:Net Application - Client
Hardware components affected:Other
Specific operating systems components affected: Other
Net-enabled software: Enterprise Application
Other software: Other
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Research In Motion Limited
Applications affected:BlackBerry Application Web Loader
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Unknown
Potential Damage: Remote execution/modification
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: Blackberry
Reliability of source: Known
Source URL: http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB16248
CVE: CVE-2009-0305
Abstract: This advisory describes a vulnerability in the BlackBerry Application Web Loader. Users are recommended to install the updated version of the program.
Doc ID : KB16248
Last Modified : 02-10-2009
Document Type : Security Advisory
Environment
BlackBerry® Application Web Loader Version 1.0
Microsoft® Internet Explorer version (all versions)
Overview
This advisory is intended to assist Research In Motion's (RIM's) customers in addressing an identified vulnerability in the BlackBerry Application Web Loader.
Issue Severity: This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.3.
Issue Status: Vulnerability confirmed. Software containing security update released.
Recommendation: Complete the resolution actions documented in this advisory.
CVE number
CVE-2009-0305
Acknowledgments
eEye Digital Security, working with CERT/CC, identified this vulnerability.
RIM would like to acknowledge Microsoft for including the killbit(s) from this security update in the Advisory. Customers should primarily look to RIMs security update to resolve this issue. RIM would like to thank Microsoft for their involvement in helping protect our customers.
The update from Microsoft is also available through Microsoft Update, Windows Update, or Office Update, or from the Microsoft Download Center.
--------------------------------------------------------------------------------
Impact
Environment Details
The BlackBerry Application Web Loader is a Microsoft® ActiveX® web-based application loader that third party application developers use to create web pages that enable users to install applications directly on a BlackBerry device. When a user accesses a web page that uses the BlackBerry Application Web Loader and accepts the permission prompt, the web page installs the BlackBerry Application Web Loader on the users computer. The BlackBerry Application Web Loader uses the .jad and .cod files stored on the web server to install an application on a BlackBerry device connected to the users computer.
The BlackBerry Application Web Loader ActiveX control has the following properties:
ActiveX control property Value
Name RIM AxLoader
Publisher
Research In Motion Limited.
File
AxLoader.ocx or AxLoader.dll
Class identifier
4788DE08-3552-49EA-AC8C-233DA52523B9
--------------------------------------------------------------------------------
Problem
An exploitable buffer overflow exists in the BlackBerry Application Web Loader ActiveX control that Internet Explorer uses to install applications on BlackBerry devices.
--------------------------------------------------------------------------------
Cause
When a BlackBerry device user browses to a web site that is designed to install the BlackBerry Application Web Loader ActiveX control on BlackBerry devices over a USB connection, and clicks Yes to install and run the ActiveX control, the ActiveX control introduces the vulnerability to the computer.
--------------------------------------------------------------------------------
Resolution
To resolve the issue, install a version of the BlackBerry Application Web Loader that does not include the vulnerability.
Install the updated version of the BlackBerry Application Web Loader
Visit
http://na.blackberry.com/eng/developers/javaappdev/devtools.jsp.
Click the link to download the BlackBerry Application Web Loader v1.1.
Complete the installation wizard.
--------------------------------------------------------------------------------
Workaround
Remove the ActiveX control from Internet Explorer and then disable the ActiveX control to prevent Internet Explorer from reinstalling the ActiveX control.
Remove the ActiveX control from Internet Explorer
Open Internet Explorer.
Click Tools > Internet Options.
Under Temporary Internet Files click Settings.
Click View Objects.
Locate RIM AxLoader in the Program Files list:
If there is more than one RIM AxLoader file listed, right-click each file and select Properties. Verify which file has ID 4788DE08-3552-49EA-AC8C-233DA52523B9.
Right-click the RIM AxLoader file that has ID 4788DE08-3552-49EA-AC8C-233DA52523B9, and click Remove.
Right-click RIM AxLoader and click Remove.
Click Yes.
Restart Internet Explorer.
Disable the ActiveX control
Use the Registry Editor to set a registry key for the ActiveX control that uses a specific Compatibility Flags DWORD value. This prevents Internet Explorer from calling that ActiveX control, if it exists, unless the Initialize and script ActiveX controls not marked as safe option is enabled in Internet Explorer, or from reinstalling that ActiveX control at the request of another web site.
Use the Registry Editor to browse to the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\
Verify whether the key {4788DE08-3552-49EA-AC8C-233DA52523B9} exists:
If the key exists, continue to step 3.
If the key does not exist, click Edit > New > Key. Rename the new key to {4788DE08-3552-49EA-AC8C-233DA52523B9}, the class identifier of the ActiveX control.
If the key {4788DE08-3552-49EA-AC8C-233DA52523B9} does not exist, click Edit > New > Key.
Rename the key to {4788DE08-3552-49EA-AC8C-233DA52523B9}, the class identifier of the ActiveX control.
Click {4788DE08-3552-49EA-AC8C-233DA52523B9}. Click Edit > New > DWORD value.
Rename the DWORD value to Compatibility Flags.
Click Compatibility Flags. Click Edit > Modify.
Set the Value data field to 00000400.
Restart Internet Explorer.
--------------------------------------------------------------------------------
Additional Information
See the Microsoft Knowledge Base article How to stop an ActiveX control from running in Internet Explorer (Article ID: 240797) for more information about options for disabling, and removing ActiveX controls.
CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerabilities. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores range from 0.0 (no vulnerability) to 10.0 (critical). RIM uses CVSS in vulnerability assessments to present an immutable characterization of security issues. RIM assigns all security relevant issues a non-zero score.
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Wed, 11 Feb 2009 13:30:00 GMT
Domain affected: Technical