Research in Motion (RIM) is urging customers who use the popular BlackBerry handset to disable Javascript in their mobile Web browsers.
RIM's concern stems from the
Requires Free Membership to View
exploitation of a vulnerability in the open source Webkit browser,
which recently debuted at Mobile World Congress in Barcelona, and was exploited in a hacking
contest at CanSecWest's Pwn2Own competition in Vancouver, B.C. The team of three (two of whom took
last year's competition by breaking into the iPhone) used a browser exploit in conjunction with
another vulnerability to steal the phone's contact list and image database, as well as gain remote
code execution.
The exploit can also allow access to data stored on a user's media card; however, it cannot grant access to email or calendar data.
The flaw is not within Javascript, but requires Java to exploit the vulnerability. The flaw affects BlackBerry Device Software version 6.0 and later. At the time of the posting of the advisory, RIM was unaware of any active attacks targeting the vulnerability outside of a test environment.
As a secondary option to disabling Javascript, RIM suggests disabling the BlackBerry browser.
The phone, a BlackBerry Torch 9800, fell on the same day as Apple's iPhone 4. Both phones were hacked as part of Pwn2Own, a hacking competition held by Austin-based HP subsidiary TippingPoint DVlabs. These two phones and many other full-fledged browsers and operating systems fell at Pwn2Own. No one attempted to breach Mozilla Firefox, a Samsung Nexus S running Android 2.3, a Dell Venue pro running Windows Phone 7 or Google Chrome.