On Aug. 17, BlackBerry disclosed its Real Time Operating System is affected by a BadAlloc vulnerability. A hacker could exploit these vulnerabilities to deploy malware or cause a denial of service, according to an Aug. 17 Cybersecurity and Infrastructure Security Agency news release.
Six things to know:
- Some companies affected by the flaw disclosed the news in May, while BlackBerry chose to be discreet about the vulnerability, Politico reported. Sources said Blackberry resisted making a public announcement even though it couldn’t identify all of the people using the software, Politico reported.
- Tech companies may prefer privately disclosing vulnerabilities so it doesn’t notify hackers that systems are vulnerable. It also delays public backlash or financial losses that can result in a breach.
- CISA told BlackBerry that the vulnerability potentially created risks for national security and the Defense Department was involved in finding acceptable timing for Blackberry to disclose the vulnerability, Politico reported.
- Eric Goldstein, the head of CISA’s cyber division said the vulnerable systems are “used in a wide range of products whose compromise could result in a malicious actor gaining control of highly-sensitive systems. While we are not aware of any active exploitation, we encourage users of [the system] to review the advisory BlackBerry put out today and implement mitigation measures, including patching systems as quickly as possible.”
- BlackBerry didn’t deny in a statement to Politico it was hesitant about publicly disclosing the vulnerability. The company said it maintains a list of customers and has been communicating with them directly.
- “Software patching communications occur directly to our customers,” BlackBerry said. “However, we will make adjustments to this process in order to best serve our customers.”
