Tavis Ormandy, Google Inc (NASDAQ:GOOG) security researcher, as well as Ollie Whitehouse reported the security flaw to BlackBerry Ltd (NASDAQ:BBRY) on how the WebDAV file server can be exploited remotely. Following the disclosure, the troubled Canadian company asked its users to update the software on their Windows or Mac OS X computers.
The security flaw
BlackBerry Ltd (NASDAQ:BBRY) reported that the vulnerability exists in its selected versions of Link Peer Manager application, which is a freely available program that allows the users to transfer files between their BlackBerry mobiles and a Microsoft Corporation (NASDAQ:MSFT) Windows or Apple Inc. (NASDAQ:AAPL) Mac OS X-powered personal computers. BlackBerry has asked the users to upgrade to the latest builds that are not vulnerable to the discovered blunder.
The flaw covers security issues or vulnerabilities where malicious attackers can bypass some security mechanisms of the Link application and the impact of which depends on the purpose and design of the affected application. The security issue is caused by an error within the Link component that can be exploited to manipulate or disclose an otherwise inaccessible BlackBerry Ltd (NASDAW:BBRY) Link file access folder.
The issue stems as the Link allows access to the user’s remote files via WebDAV server that could be accessed over the network without performing any authentication checks. Under certain conditions, this helps an attacker to enhance their login privileges while allowing running arbitrary commands. The attacker can trick another user into clicking on a malicious web page or even a purposely manipulated web link.
BlackBerry Ltd (NASDAQ:BBRY) urged the users and administrators to apply some mitigation techniques as the protective measures against manipulation or exploitation of the flaws. For instance, the user may remove the remote file sharing directory in the Link component. These measures were requested to users in addition to upgrading the Link software with a patched release.
Given the ever-decreasing number of BlackBerry’s handset sales, it is expected that the users who might require a Link update would be as low as it would have ever since. IDC researchers anticipated that only 1.7 percent of smartphones sold during last quarter ran the BlackBerry operating system.
However, for the admins whose businesses still use the BlackBerry Ltd (NASDAQ:BBRY) platform would require to run an update for BlackBerry Link amid the existing heavy load of security patches piled up during the week. The other updates are from Microsoft Corporation (NASDAQ:MSFT) Patch Tuesday bundle as well as from an Adobe Systems Inc. (NASDAQ:ADBE) set of fixes for the ColdFusion application and much-used Flash Player tool.