BlackBerry Web loader has serious ActiveX flaw

A flawed ActiveX control can be exploited by an attacker to run malicious code and gain access to critical files.

Research In Motion (RIM) issued an advisory Tuesday, warning users of a buffer overflow vulnerability in its Web-based application loader that could be remotely exploited by an attacker to gain access to critical system files.

RIM said the problem is in the BlackBerry Application Web Loader ActiveX control used by Internet Explorer to install applications on BlackBerry devices. When a user attempts to install the application loader, the ActiveX control introduces the vulnerability to the computer, RIM said in its warning to customers.

The flaw can be exploited remotely. It has a Common Vulnerability Scoring System (CVSS) score of 9.3.

Microsoft issued a security advisory related to the BlackBerry flaw, issuing kill bits for the specific ActiveX control. Kill bits stop a specific ActiveX control from running in Microsoft Internet Explorer. The advisory also addresses a similar ActiveX issue with a download manager developed by Akamai Technologies Inc.

The BlackBerry flaw was discovered by researchers at eEye Digital Security.

Danish vulnerability clearinghouse Secunia issued an advisory Tuesday, giving the flaw a highly critical rating. "Successful exploitation allows execution of arbitrary code," Secunia said.

Read more on Security policy and user awareness