RIM to BlackBerry Admins: Beware New BES Security Flaw
RIM has identified another critical security flaw in its BlackBerry Enterprise Server (BES) software, and the BlackBerry-maker is suggesting all organizations running BES 4.1.3 or higher update their software immediately or at least disable the problem component.
By Al Sacco
Managing Editor, CIO
BlackBerry-maker Research In Motion (RIM) has issued a critical security advisory related to a flaw in its BlackBerry Enterprise Server (BES) software that could enable hackers to execute malicious code and hijack infrastructure. The vulnerability is currently ranked as both a 9.2 and 5.7 on a scale of 0 to 10, with 10 representing the most critical flaws.
The vulnerability relates to the PDF distiller component in the BES BlackBerry Attachment Service, which controls the way PDF files are handled in a BES environment. The PDF distiller is a problem area for RIM and its BES software; a variety of security flaws have been identified within the component during the past years, and RIM has issued a number of similar advisories, most recently last July.
BlackBerry administrators running BES 4.1 service pack 3 (v4.1.3) or higher should visit RIM’s server download page immediately to update their software and resolve the issue. BES 4.1.2 and earlier is not affected by the flaw, RIM says.
Earlier this week, RIM released BES 5.0 SP1 for both Microsoft Exchange and Lotus Domino. BES 5.0 SP1 users should also visit RIM’s server downloads page to install the required security update, according to RIM.
From the security advisory:
“Multiple security vulnerabilities exist in the PDF distiller of some released versions of the BlackBerry Attachment Service component of the BlackBerry Enterprise Server. These vulnerabilities could enable a malicious individual to send an email message containing a specially crafted PDF file, which when opened for viewing on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server, could cause memory corruption and possibly lead to a Denial of Service (DoS) condition or arbitrary code execution on the computer that hosts the BlackBerry Attachment Service component of that BlackBerry Enterprise Server.”
RIM also identified another less-severe bug in some versions of its new BES 5.0 SP1, which causes users’ address book listings to disappear after the 5.0 SP1 upgrade. The BlackBerry-maker has not yet issued an official fix for this problem, but additional information and a workaround can be found on RIM’s site.
FREE CIO BlackBerry Newsletter
Get better use out of your BlackBerry and keep up-to-date on the latest developments.
Al Sacco was a journalist, blogger and editor who covers the fast-paced mobile beat for CIO.com and IDG Enterprise, with a focus on wearable tech, smartphones and tablet PCs. Al managed CIO.com writers and contributors, covered news, and shared insightful expert analysis of key industry happenings. He also wrote a wide variety of tutorials and how-tos to help readers get the most out of their gadgets, and regularly offered up recommendations on software for a number of mobile platforms. Al resides in Boston and is a passionate reader, traveler, beer lover, film buff and Red Sox fan.