Have any BlackBerry customers been subject to an attack that exploits this vulnerability?
BlackBerry is not aware of any attacks targeting BlackBerry PRIV smartphone customers using this vulnerability.

What factors affected the release of this security advisory?
This advisory addresses a publicly known vulnerability. BlackBerry publishes details of a software update in a security advisory after the fix is available. Publishing this advisory ensures that our customers can protect themselves by updating their software or employing available workarounds if updating is not possible.

Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit www.blackberry.com/security and www.blackberry.com/bbsirt.

• BlackBerry PRIV running build AAE134 and earlier

• BlackBerry PRIV running build AAE298 and later

An updated software version is available immediately for BlackBerry PRIV smartphones that have been purchased from ShopBlackBerry.com. The updated software version can be identified with the following build ID:

• Build AAE298 and later

If your BlackBerry PRIV smartphone was purchased from a source other than ShopBlackBerry.com, please contact that retailer or carrier directly for urgent maintenance release availability information.

Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations, and general best practices.

This vulnerability is mitigated for all customers by the requirement that an attacker must persuade a user to install a local app running malicious code on the smartphone. An attacker cannot force the user to install a malicious application. Further, BlackBerry is not aware of any such malicious applications targeting the BlackBerry PRIV.

There are no remote vectors for this vulnerability.

Further, BlackBerry PRIV smartphones use a unique security system to prevent persistent compromise. Attempts to use this vulnerability to gain persistent elevated privileges on a BlackBerry PRIV are likely to fail with an error. Any compromise would not persist after a reboot.

The risk for enterprise customers is partially mitigated for customers running current versions of BES to manage their BlackBerry PRIV smartphones. For those customers, the BlackBerry Integrity Detection Engine will identify and report any BlackBerry PRIV smartphones that have been compromised by this vulnerability.

By default, sideloading apps on BlackBerry PRIV is not permitted; users should check the DTEK by BlackBerry application for verification of their security settings.

Finally, the Verify Apps feature will prompt the user with a warning about unsafe apps. The user must actively ignore multiple warnings generated by the Verify Apps feature in order to install a malicious application.

Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems.

BlackBerry recommends that customers should only download apps from trusted sources.