RIM has confirmed a security breach in its BlackBerry OS 6.0 software.
The mobile maker advised concerned users and enterprises to switch off JavaScript to mitigate the problem.
The flaw was spotted during last week's Pwn2Own hacker challenge and requires handset users to browse to an infected site designed by the attacker.
According to the Pwn2Own hackers, they were able to steal a contact list and photo cache from an exploited phone. RIM played down the significance of the attack, claiming that the most private data on handsets was safe from the attack because it was stored in unaffected applications folders.
“A successful exploit could allow the attacker to use the BlackBerry browser to access user data stored on the media card and in the built-in media storage on the BlackBerry smartphone,” the company said in a security warning.
“They could not access user data that the email, calendar and contact applications store in the application storage," RIM said. "Exploitation of the vulnerability does not allow access to this part of memory.”
Nonetheless, the breach admission was an embarrassing gaffe for a company that prides itself on tight security - a big selling point for its corporate customers. RIM was quick to add that no attacks had been spotted using the vulnerability in the wild.
As a workaround until the patch is fixed, RIM recommended that concerned users and system admins switch off JavaScript, although the company admitted this would impact usability.
“Users of BlackBerry Device Software version 6.0 and later can disable the use of JavaScript in the BlackBerry Browser to prevent exploitation of the vulnerability,” the company said.
“The issue is not in JavaScript, but the use of JavaScript is necessary to exploit the vulnerability. Turning off JavaScript may impact the ability to view web pages, or result in a diminished browsing experience.”
Turning off JavaScript wasn't as drastic as RIM's second option for keeping the problem at bay, which involved “disabling the BlackBerry Browser”.
This article originally appeared at pcpro.co.uk
Copyright © PC Pro, Dennis Publishing
A confirmation email has been sent to your email address - SUPPLIED GOES EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @itnews.com.au to your white-listed senders.