BlackBerry finally discloses QNX OS vulnerability affecting cars, hospital equipment,...

Cal Jeffrey

Posts: 3,205   +882
Staff member
Facepalm: Public disclosure of software vulnerabilities is not usually something a company wants to face. Patches need to be developed quickly and the eventual announcement can at least temporarily affect the developer's reputation. BlackBerry finally disclosed a flaw it has known about for months and only after the Department of Homeland Security got involved.

On Tuesday, BlackBerry announced a vulnerability found in its QNX operating system. The security glitch, dubbed BadAlloc, can allow bad actors to disable devices. What's troubling is that the aging operating system is still used in factory machinery, medical devices, rail equipment, automobiles, and even in components used on the International Space Station.

It's also bothering that BlackBerry took so long to disclose it, considering vital equipment it powers. While BlackBerry only acknowledged the flaw this week, Microsoft security researchers discovered it in April. They notified the companies involved in the study, and in May, those firms publicly disclosed the vulnerability with the aid of the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA).

Politico notes that insiders with knowledge of the situation said that in talks with the federal cybersecurity officials, BlackBerry denied BadAlloc affected its products. The company also resisted going public with the security hole despite its inability to identify its entire QNX client base.

The sources said that BlackBerry batted the issue back and forth with the CISA regarding disclosure before finally agreeing to put out an alert on Tuesday. Customers are urged to update to the latest version of QNX, which patches the hole. The CISA also issued a warning. The CISA said that there is no indication that the vulnerability was being actively exploited.

Image credit: Ben Stassen (CC BY 2.0)

Permalink to story.

 

Cal Jeffrey

Posts: 3,205   +882
Staff member
...Faulty? How is it faulty, or is the software actually not working properly?


Also, you're missing something here.
Thanks for the heads up. Supposed to be a 'said' in there.

Correct. The unpatched software is faulty because it has a major security flaw. Although the current version is fixed, there is presumably still a large number of older versions operating in the wild. BlackBerry doesn't even know itseft how many devices are running QNX.
 

m4a4

Posts: 2,610   +3,195
TechSpot Elite
Correct. The unpatched software is faulty because it has a major security flaw. Although the current version is fixed, there is presumably still a large number of older versions operating in the wild. BlackBerry doesn't even know itseft how many devices are running QNX.
I've never heard someone describe software in such a situation as faulty. To me it implies that it isn't reliable during normal operation.
Seems like an exaggeration in this case. Along the lines of calling it buggy. I would think vulnerable is more accurate.
 

psycros

Posts: 3,698   +4,651
Thanks for the heads up. Supposed to be a 'said' in there.

Correct. The unpatched software is faulty because it has a major security flaw. Although the current version is fixed, there is presumably still a large number of older versions operating in the wild. BlackBerry doesn't even know itseft how many devices are running QNX.

I'm sure Microsoft knows exactly how many people are running Windows 7. /rolleyes
 

Cal Jeffrey

Posts: 3,205   +882
Staff member
Thanks. I'll fix that. Faulty in that the unpatched version, which is still out there presumably since BlackBerry doesn't even know who all is using it, has a huge security hole in it. That's what I would call faulty.
I've never heard someone describe software in such a situation as faulty. To me it implies that it isn't reliable during normal operation.
Seems like an exaggeration in this case. Along the lines of calling it buggy. I would think vulnerable is more accurate.
Faulty: having or displaying weaknesses.

I try not to be too repetitive and use synonyms when possible. Faulty is a valid synonym in this case, but I can't be responsible for your interpretation of the word. lol ;)