Security Communications Release: Security Advisory posted (KB26296: Cross-site scripting (XSS) vulnerability in the BlackBerry Web Desktop Manager component of the BlackBerry Enterprise Server”)
On April 12, 2011, Research In Motion (RIM) released a security advisory, KB26296: Cross-site scripting (XSS) vulnerability in the BlackBerry Web Desktop Manager component of the BlackBerry Enterprise Server. This security advisory provides details of a known cross-site scripting vulnerability in the BlackBerry Web Desktop Manager component of the BlackBerry Enterprise Server and BlackBerry Enterprise Server Express.
RIM has issued interim security software updates that resolve the issue in supported software versions of the affected software. Resolution for the issue is available by downloading and applying the interim security software update for the appropriate affected software version. Links to the updates are listed in the Resolution section of the security advisory. Orange recommends that BlackBerry Enterprise Server or IT administrators should apply the software updates.
The vulnerability could allow an attacker to execute externally supplied scripts using the user privileges of the BlackBerry Web Desktop Manager. This could allow the attacker to perform any BlackBerry Web Desktop Manager task that the legitimate user could perform on a BlackBerry smartphone while the user is logged in to the BlackBerry Web Desktop Manager. Such tasks include remotely wiping and disabling the device, remotely resetting the device password and locking the device, and activating the user’s account on another device over the wireless network.
Successful exploitation of this issue requires an attacker to persuade the legitimate user to click a specially crafted URL in a web browser or an email or instant message.
For further information, please see the posted security advisory above.