BlackBerry Z10 Privilege Escalation Vulnerability

BlackBerry Z10 users should be aware that there is a privilege escalation vulnerability. The vulnerability potentially allows a hacker to modify or edit data on a stolen BlackBerry Z10 smartphone with BlackBerry Protect enabled, identified as BSRT-2013-006 (CVE-2013-3692)

According to the advisory, an escalation of privilege vulnerability exists in the software 'BlackBerry® Protect™' of Z10 phones, supposed to help users delete sensitive files on a lost or stolen smartphone, or recover it again if it is lost.

“Taking advantage of the weak permissions could allow the malicious app to gain the device password if a remote password reset command had been issued through the BlackBerry Protect website, intercept and prevent the smartphone from acting on BlackBerry Protect commands, such as a remote smartphone wipe."

The company says that version 10.0.9.2743 is not affected and that they have found no evidence of attackers exploiting this vulnerability in the wild. Furthermore, the more severe exploitation requires that an attacker has physical access to the device after its user has downloaded a maliciously crafted application.

As for the second advisory, Adobe Flash Player versions earlier than 10.0.10.648 included with Z10 are affected while versions 2.1.0.1526 on the PlayBook are impacted, identified as CVE-2013-0630.

To exploit this, the user must interact with a malicious .swf application embedded in website content or via an email attachment over webmail through a browser on one of the devices.

To avoid this vulnerability, you should update to the latest Blackberry 10 OS version.