RIM Recommends Users Disable JavaScript to Protect BlackBerry OS 6 Handsets

Research In Motion (NASDAQ: RIMM) just issued a security advisory urging BlackBerry users to disable JavaScript in browsers on handsets running BlackBerry 6 to prevent exploits from a potential security breach revealed at a recent security conference.

During the Pwn20wn hacker challenge at the CanSecWest conference last week, the security vulnerability was exploited to hack into a BlackBerry Torch 9800 smart phone to steal the contact list and image database. The security soft spot exists in the WebKit browser engine included in the BlackBerry 6 mobile operating system.

"Successful exploitation of the vulnerability requires the user to browse to a website that the attacker has maliciously designed. A successful exploit could allow the attacker to use the BlackBerry Browser to access user data stored on the media card and in the built-in media storage on the BlackBerry smartphone, but not to access user data that the email, calendar and contact applications store in the application storage (the internal file system that stores application data and user data) of the BlackBerry smartphone," according to a RIM security advisory issued in response to the hack demo.

RIM in the advisory provides a quick-fix users can deploy until a permanent patch is issued. The company recommends users disable the use of JavaScript in the BlackBerry browser to prevent the vulnerability from being hacked.

"The issue is not in JavaScript but the use of JavaScript is necessary to exploit the vulnerability," says the security advisory.

The advisory outlines steps for disabling JavaScript in the Torch 9800, Style 9670, Bold 9700 and 9650, Curve 9300 and Pearl 9100 BlackBerry smartphones.

Additionally, BlackBerry Enterprise Server administrators can disable the BlackBerry Browser on BlackBerry smartphones in their organizations using the Allow Browser IT policy rule and the Allow Other Browser Services IT policy rule.

Another strategy: Google has already addressed the BlackBerry Pwn2Own hack in Chrome.



JavaScript, mobile, Blackberry, RIM, mobile security