Public disclosure of software vulnerabilities is not usually something a company wants to face. Patches need to be developed quickly and the eventual announcement can at least temporarily affect the developer’s reputation. BlackBerry finally disclosed a flaw it has known about for months and only after the Department of Homeland Security got involved.
On Tuesday, BlackBerry announced a vulnerability found in its QNX operating system. The security glitch, dubbed BadAlloc, can allow bad actors to disable devices. What’s troubling is that the aging operating system is still used in factory machinery, medical devices, rail equipment, automobiles, and even in components used on the International Space Station.
It’s also bothering that BlackBerry took so long to disclose it, considering vital equipment it powers. While BlackBerry only acknowledged the flaw this week, Microsoft security researchers discovered it in April. They notified the companies involved in the study, and in May, those firms publicly disclosed the vulnerability with the aid of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA).
Politico notes that insiders with knowledge of the situation said that in talks with the federal cybersecurity officials, BlackBerry denied BadAlloc affected its products. The company also resisted going public with the security hole despite its inability to identify its entire QNX client base.
The sources said that BlackBerry batted the issue back and forth with the CISA regarding disclosure before finally agreeing to put out an alert on Tuesday. Customers are urged to update to the latest version of QNX, which patches the hole. The CISA also issued a warning. The CISA said that there is no indication that the vulnerability was being actively exploited.