Research In Motion yesterday announced a new BlackBerry patch that fixes a display flaw that could help phishers conduct an attack.
The flaw involves the dialog box that displays when a BlackBerry user visits a supposedly secured site that uses a mismatched security certificate. If a scammer creates a certificate that uses hidden (null) characters, the BlackBerry browser will correctly recognize a mismatch between such a certificate and a Web site's name and display a warning dialog. However, the old dialog doesn't display hidden characters, which could make the certificate and site name look the same in the warning and lead users to ignore it.
The new version will correctly display hidden characters in the dialog box. For screen shot examples of the old v. new dialog boxes, along with further details, see RIM's security advisory. According to that post, all versions of the BlackBerry Device Software need the patch, which is available from
http://www.blackberry.com/updates/.BlackBerry browser dialog box does not clearly indicate mismatches between web site domain names and associated certificates
Environment
Research In Motion (RIM) has tested the following software to determine which versions or editions are affected by the issue described in this advisory. Other versions or editions are either past their support life cycle or are not affected.
