RIM to BlackBerry Administrators: Beware Critical BES Security Flaw (UPDATED)
A vulnerability in the BlackBerry Enterprise Server (BES) PDF rendering component could enable hackers to hijack associated infrastructure, RIM says.
Wed, July 16, 2008
Since this story was originally posted, RIM released an update to its BlackBerry Enteprise Server (BES) software, v4.1.6, that fixes the security vulnerability detailed in this story. For more information on BES 4.1.6, read "BES 4.1.6 Upgrade Addresses Critical PDF Flaw."
Research In Motion (RIM) is warning corporate IT administrators that a serious security flaw in the BlackBerry Enterprise Server (BES) BlackBerry Attachment Service could allow hackers to execute malicious code and hijack infrastructure. The vulnerability is ranked by RIM as a 9.0 on a scale of 0 to 10, with 10 representing the most critical flaws.
IT departments using BES software version 4.1 Service Pack (SP) 3 through BES v4.1 SP5 are at risk, as are users of BlackBerry Unite! version 1.0 SP1 bundle 36 or earlier, according to RIM. BlackBerry Unite! is a service that lets users access shared files via BlackBerry.
From a RIM security advisory:
"A security vulnerability in the PDF distiller of the BlackBerry Attachment Service could enable a malicious individual to use a specially crafted PDF file attachment in an email message to cause arbitrary code to execute on the computer that the BlackBerry Attachment Service runs on. If a BlackBerry smartphone user on BlackBerry Unite! opens and views the specially crafted PDF file attachment on the BlackBerry smartphone; the arbitrary code execution could compromise the computer."
BES administrators should take measures to address the flaw immediately, RIM says.
RIM has not yet released an estimated resolution timeframe regarding the BES flaw, but it recommends upgrading BlackBerry Unite! to any version that's more recent than v1.0 SP1 bundle 36. For more information on how to upgrade, visit RIM's website.
Administrators should also prevent the BlackBerry Attachment Server from processing PDF files in a BES environment, according to the company. Specific instructions on how to do so are also available on RIM's site, along with general BlackBerry security information.
A comparable flaw was recently discovered in libpoppler, an open source PDF rendering library, according to U.K. security news and service firm Heise.