今天BlackBerry为Priv推出了最新的安全升级,升级后系统版本号为AAE298。
正如黑莓向PRIV用户承诺的一样,Blackberry官方总是在第一时间为PRIV推送安全更新,这在众多安卓系统手机品牌中,黑莓是唯一做到的。所黑莓PRIV是安卓系统手机中最安全的并不为过,正如之前黑莓CEO所说,黑莓为安卓带来了安全…
BSRT-2016-002 Vulnerability in Android/Linux kernel impacts BlackBerry PRIV smartphones
OVERVIEW
WHO SHOULD READ THIS ADVISORY?
- BlackBerry PRIV smartphone users
- IT administrators who deploy BlackBerry PRIV smartphones
WHO SHOULD APPLY THE SOFTWARE FIX(ES)?
- BlackBerry PRIV smartphone users
- IT administrators who deploy BlackBerry PRIV smartphones
MORE INFORMATION
Have any BlackBerry customers been subject to an attack that exploits this vulnerability?
BlackBerry is not aware of any attacks targeting BlackBerry PRIV smartphone customers using this vulnerability.
What factors affected the release of this security advisory?
This advisory addresses a publicly known vulnerability. BlackBerry publishes details of a software update in a security advisory after the fix is available. Publishing this advisory ensures that our customers can protect themselves by updating their software or employing available workarounds if updating is not possible.
Where can I read more about the security of BlackBerry products and solutions?
For more information on BlackBerry security, visit www.blackberry.com/security and www.blackberry.com/bbsirt.
Back to top ↑
AFFECTED PRODUCTS AND RESOLUTIONS
AFFECTED PRODUCTS
- BlackBerry PRIV running build AAE134 and earlier
NON AFFECTED PRODUCTS
- BlackBerry PRIV running build AAE298 and later
ARE BLACKBERRY DEVICES AFFECTED?
RESOLUTION
An updated software version is available immediately for BlackBerry PRIV smartphones that have been purchased from ShopBlackBerry.com. The updated software version can be identified with the following build ID:
- Build AAE298 and later
If your BlackBerry PRIV smartphone was purchased from a source other than ShopBlackBerry.com, please contact that retailer or carrier directly for urgent maintenance release availability information.
Back to top ↑
VULNERABILITY INFORMATION
An elevation of privilege vulnerability exists in the shared Android/Linux kernel used in affected versions of BlackBerry PRIV smartphones. The kernel constitutes the central core of the smartphone’s operating system.
Successful exploitation of this vulnerability could result in an attacker gaining elevated privileges on the smartphone.
In order to exploit this vulnerability, an attacker must craft a malicious app. The attacker must then persuade a user to download and install the malicious app.
This vulnerability has a Common Vulnerability Scoring System (CVSSv2) score of 6.9. View the linked Common Vulnerability and Exposures (CVE) identifiers for a description of the security issue that this security advisory addresses.
CVE identifier — CVSSv2 score
CVE-2015-1805 — 6.9
MITIGATIONS
Mitigations are existing conditions that a potential attacker would need to overcome to mount a successful attack or that would limit the severity of an attack. Examples of such conditions include default settings, common configurations, and general best practices.
This vulnerability is mitigated for all customers by the requirement that an attacker must persuade a user to install a local app running malicious code on the smartphone. An attacker cannot force the user to install a malicious application. Further, BlackBerry is not aware of any such malicious applications targeting the BlackBerry PRIV.
There are no remote vectors for this vulnerability.
Further, BlackBerry PRIV smartphones use a unique security system to prevent persistent compromise. Attempts to use this vulnerability to gain persistent elevated privileges on a BlackBerry PRIV are likely to fail with an error. Any compromise would not persist after a reboot.
The risk for enterprise customers is partially mitigated for customers running current versions of BES to manage their BlackBerry PRIV smartphones. For those customers, the BlackBerry Integrity Detection Engine will identify and report any BlackBerry PRIV smartphones that have been compromised by this vulnerability.
By default, sideloading apps on BlackBerry PRIV is not permitted; users should check the DTEK by BlackBerry application for verification of their security settings.
Finally, the Verify Apps feature will prompt the user with a warning about unsafe apps. The user must actively ignore multiple warnings generated by the Verify Apps feature in order to install a malicious application.
WORKAROUNDS
Workarounds are settings or configuration changes that a user or administrator can apply to help protect against an attack. BlackBerry recommends that all users apply the available software update to fully protect their system. All workarounds should be considered temporary measures for customers to apply if they cannot install the update immediately or must perform standard testing and risk analysis. BlackBerry recommends that customers who are able to do so install the update to secure their systems.
BlackBerry recommends that customers should only download apps from trusted sources.
Back to top ↑
DEFINITIONS
CVE
Common Vulnerability and Exposures (CVE) is a dictionary of common names (CVE Identifiers) for publicly known information security vulnerability maintained by the MITRE Corporation.
CVSS
CVSS is a vendor agnostic, industry open standard designed to convey the severity of vulnerability. CVSS scores may be used to determine the urgency for update deployment within an organization. CVSS scores can range from 0.0 (no vulnerability) to 10.0 (critical). BlackBerry uses CVSSv2 in vulnerability assessments to present an immutable characterization of security issues. BlackBerry assigns all relevant security issues a non-zero score. Customers performing their own risk assessments of vulnerability that may impact them can benefit from using the same industry-recognized CVSS metrics.
Trademark attributions
Android is a trademark of Google Inc.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Back to top ↑
ACKNOWLEDGEMENTS
Back to top ↑
CHANGE LOG
Initial publication
一叶轻舟到天崖
Latest posts by 一叶轻舟到天崖 (see all)
- BlackBerry品牌高端新手机Ghost曝光 即将在印度发售! - 2018年2月27日
- BlackBerry KEYtwo更多信息来啦!(BBF100-1) - 2017年11月22日
- 自动驾驶在路上 - 2017年11月6日
没有看到呀!!!???
港版没收到
我的港版怎么没收到
我的港版也没收到
今天都4月2日了,港版仍然没有收到这个更新
还是AAE016….不着急….