BerryLink
专注黑莓,为你而在

Priv by BlackBerry系统升级到AAE298

今天BlackBerry为Priv推出了最新的安全升级,升级后系统版本号为AAE298。

AAE298

 

正如黑莓向PRIV用户承诺的一样,Blackberry官方总是在第一时间为PRIV推送安全更新,这在众多安卓系统手机品牌中,黑莓是唯一做到的。所黑莓PRIV是安卓系统手机中最安全的并不为过,正如之前黑莓CEO所说,黑莓为安卓带来了安全…

BSRT-2016-002 Vulnerability in Android/Linux kernel impacts BlackBerry PRIV smartphones

OVERVIEW

This advisory addresses an industry-wide elevation of privilege vulnerability that is not currently being exploited against, but affects, BlackBerry® PRIV smartphones. BlackBerry customer risk is limited by the inability of a potential attacker to force exploitation of the vulnerability without customer interaction. Successful exploitation requires an attacker craft a malicious application (app) and that a user install the malicious app. If the requirements are met for exploitation, an attacker could potentially gain locally elevated privileges. After installing the recommended software update, affected customers will be fully protected from this vulnerability.

WHO SHOULD READ THIS ADVISORY?

  • BlackBerry PRIV smartphone users
  • IT administrators who deploy BlackBerry PRIV smartphones

WHO SHOULD APPLY THE SOFTWARE FIX(ES)?

  • BlackBerry PRIV smartphone users
  • IT administrators who deploy BlackBerry PRIV smartphones

MORE INFORMATION

Have any BlackBerry customers been subject to an attack that exploits this vulnerability?
BlackBerry is not aware of any attacks targeting BlackBerry PRIV smartphone customers using this vulnerability.

What factors affected the release of this security advisory?
This advisory addresses a publicly known vulnerability. BlackBerry publishes details of a software update in a security advisory after the fix is available. Publishing this advisory ensures that our customers can protect themselves by updating their software or employing available workarounds if updating is not possible.

Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit www.blackberry.com/security and www.blackberry.com/bbsirt.

Back to top ↑

AFFECTED PRODUCTS AND RESOLUTIONS

Read the following to determine if your BlackBerry PRIV smartphone is affected.

AFFECTED PRODUCTS

  • BlackBerry PRIV running build AAE134 and earlier

NON AFFECTED PRODUCTS

  • BlackBerry PRIV running build AAE298 and later

ARE BLACKBERRY DEVICES AFFECTED?

BlackBerry 10 and BlackBerry OS smartphones are not affected by this issue. The shared Android™/Linux® kernel on the BlackBerry PRIV is impacted.

RESOLUTION

An updated software version is available immediately for BlackBerry PRIV smartphones that have been purchased from ShopBlackBerry.com. The updated software version can be identified with the following build ID:

  • Build AAE298 and later

If your BlackBerry PRIV smartphone was purchased from a source other than ShopBlackBerry.com, please contact that retailer or carrier directly for urgent maintenance release availability information.

Back to top ↑

VULNERABILITY INFORMATION

An elevation of privilege vulnerability exists in the shared Android/Linux kernel used in affected versions of BlackBerry PRIV smartphones. The kernel constitutes the central core of the smartphone’s operating system.

Successful exploitation of this vulnerability could result in an attacker gaining elevated privileges on the smartphone.

In order to exploit this vulnerability, an attacker must craft a malicious app. The attacker must then persuade a user to download and install the malicious app.

This vulnerability has a Common Vulnerability Scoring System (CVSSv2) score of 6.9. View the linked Common Vulnerability and Exposures (CVE) identifiers for a description of the security issue that this security advisory addresses.

CVE identifier — CVSSv2 score
CVE-2015-1805 — 6.9

MITIGATIONS

Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations, and general best practices.

This vulnerability is mitigated for all customers by the requirement that an attacker must persuade a user to install a local app running malicious code on the smartphone. An attacker cannot force the user to install a malicious application. Further, BlackBerry is not aware of any such malicious applications targeting the BlackBerry PRIV.

There are no remote vectors for this vulnerability.

Further, BlackBerry PRIV smartphones use a unique security system to prevent persistent compromise. Attempts to use this vulnerability to gain persistent elevated privileges on a BlackBerry PRIV are likely to fail with an error. Any compromise would not persist after a reboot.

The risk for enterprise customers is partially mitigated for customers running current versions of BES to manage their BlackBerry PRIV smartphones. For those customers, the BlackBerry Integrity Detection Engine will identify and report any BlackBerry PRIV smartphones that have been compromised by this vulnerability.

By default, sideloading apps on BlackBerry PRIV is not permitted; users should check the DTEK by BlackBerry application for verification of their security settings.

Finally, the Verify Apps feature will prompt the user with a warning about unsafe apps. The user must actively ignore multiple warnings generated by the Verify Apps feature in order to install a malicious application.

WORKAROUNDS

Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems.

BlackBerry recommends that customers should only download apps from trusted sources.

Back to top ↑

DEFINITIONS

CVE
Common Vulnerability and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerability maintained by the MITRE Corporation.

CVSS
CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerability. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSSv2 in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerability that may impact them can benefit from using the same industry-recognized CVSS metrics.

Trademark attributions
Android is a trademark of Google Inc.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.

Back to top ↑

ACKNOWLEDGEMENTS

BlackBerry would like to thank the Android Security team at Google Inc for their assistance in protecting our customers. We would also like to thank Zimperium for their contribution to the rapid resolution of this issue.

Back to top ↑

CHANGE LOG

03-23-2016
Initial publication

一叶轻舟到天崖

#IChooseBlackBerry 10#Coz it is not only a phone,but also a life way!

请遵循网络共享条款,保留原作者与链接:黑莓手机爱好者 » Priv by BlackBerry系统升级到AAE298

分享到:更多 ()

评论 6

评论前必须登录!

  1. #6

    没有看到呀!!!???

    fiataaa1年前 (2016-03-24)
  2. #5

    港版没收到

    yancey1年前 (2016-03-24)
  3. #4

    我的港版怎么没收到

    sky9167771年前 (2016-03-25)
  4. #3

    我的港版也没收到

    tt110592131年前 (2016-03-28)
  5. #2

    今天都4月2日了,港版仍然没有收到这个更新

    twm171年前 (2016-04-02)
  6. #1

    还是AAE016….不着急….

    cncpp1年前 (2016-04-05)

BerryLink专注BlackBerry的开放式平台,邀您加入

加入我们团队成员