BlackBerry Security: RIM Tells Users, Admins to Disable Webkit Browser JavaScript

BlackBerry users running the BlackBerry 6 OS should disable browser JavaScript to avoid a potential security issue, RIM says.

On the heels of news that "white hat" hackers had identified and exploited a flaw in RIM's BlackBerry 6 Webkit browser at the annual Pwn2Own hacking contest in Vancouver, B.C., BlackBerry-maker Research In Motion (RIM) has issued a security advisory instructing BlackBerry users with smartphones running the company's BlackBerry 6 OS, as well as BlackBerry Enterprise Server (BES) administrators supporting BlackBerry 6 devices, to disable the BlackBerry Webkit browser's JavaScript functionality.

BlackBerry 6 Webkit Browser Options Screen
BlackBerry 6 Webkit Browser Options Screen

This is the first year a Pwn2Own participant was able to "crack" RIM's BlackBerry OS, which is typically considered the most secure mobile OS. Hackers Vincenzo Iozzo, Willem Pinckaers and Ralf Philipp Weinmann gained access to all contact information and the device image-database on a BlackBerry Torch running RIM's BlackBerry OS 6.0.0.246, via RIM's WebKit browser, which is only found in the company's BlackBerry 6 OS and not previous software versions, according to ZDNet.com.

In other words, the flaw only affects users running RIM's BlackBerry 6 OS and later, and other BlackBerry owners with earlier device software need not worry about the flaw.

On Monday, RIM released an official response to the news from Pwn2Own, issuing a security advisory that calls for all BlackBerry 6 users and administrators to disable the JavaScript function in their BlackBerry 6 Webkit browser, until RIM can release a software fix.

RIM says its BlackBerry Security Incident Response Team has not received any reports that the browser flaw has been successfully exploited on a BlackBerry smartphone outside of a test environment or has resulted in any impact to BlackBerry customers, but it's still a good idea to disable JavaScript just in case, especially since the exploit is now getting so much mainstream attention.

To disable your Webkit Browser JavaScript, simple open your BlackBerry Browser, hit your BlackBerry Menu key, choose Options and then uncheck the box next to "Enable JavaScript," under the Web Content section. Save your changes and you're good to go.

BES admins can disable their BlackBerry 6 users' JavaScript in one fell swoop by employing the BES "Disable JavaScript in Browser" IT policy rule, or they can turn off the BlackBerry Browser all together via a similar IT policy, according to RIM.

Additional information on the flaw, along with RIM's suggested workarounds, can be found on the BlackBerry Technical Solution Center site.

AS

Al Sacco covers Mobile and Wireless for CIO.com. Follow Al on Twitter @ASacco. Follow everything from CIO.com on Twitter @CIOonline and on Facebook. Email Al at asacco@cio.com

Join the discussion
Be the first to comment on this article. Our Commenting Policies