BlackBerry joins the FREAK show BlackBerry has joined the lengthening list of FREAKed-out vendors, publishing a list of currently-vulnerable software and promising fixes as soon as possible. The famous FREAK is the vulnerability that OpenSSL inherited from the 1990s, because America's rules at the time meant “export-grade” encryption was limited to a maximum …
I switched to 10.3 when it was made available, what, a month or two ago ? Since, I installed an update last week, got another yesterday and I guess I will have to update my phone once more this week. The last update I got for my phone prior to 10.3 was 10.2.<cannotRememberWhat>, released over a year ago ...
In the meantime, got a z30 for the wife as she could not stand Android anymore, iOS is out of question, <jokeAlert>could not find a decent Nokia</jokeAlert>, so Blackberry I got.
Richard (Author).
The latest BlackBerry update has protection against FREAK. You are late with this story. Might be better to concentrate on Apple whose update doesn't seem to have reached many iDevices and Google who have to rely on the ISP's and manufacturers to roll out updates.
The problem BlackBerry has is that they cannot push mandatory, timely updates to their users because they are all gated through carriers. For example, the VAST majority of US Blackberry 10 users today are on devices where the latest official OS is some variant of 10.2.1 - which is riddled with security weaknesses.*
BlackBerry has also been notoriously slow at releasing security patches - their announcement in this case is notable for being much prompter than is their usual habit.
The issue of having to rely on carriers to push updates is not unique to BlackBerry (Apple is one of an extremely exclusive club not burdened by this), but their current market position most likely means that the leverage they have over carriers to "encourage" them to do so is far less than the 6-10 vendors who sell more devices that connect to carrier networks these days than they do.
*(Yes, enthusiasts can violate Blackberry's terms-of-service, find and install unapproved leaked versions of firmware on their devices, but even at that, I'd estimate of the total installed-base of devices, probably no more than 10% - at most - do this on a regular basis.)
Most of the non-OS-specific vulns that apply to Webkit generally seem to apply to Blackberry 10's native browser.
The exception would be some aspects of the crypto library, which is unique to BlackBerry. (And FIPS 140-2 certified... though in the post-Snowden era I'm not sure that's something I'd be particularly proud about)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
