RIM BlackBerry Desktop Manager Update Fixes Security Flaw
BlackBerry-maker RIM has issued a software update to address a serious security flaw in its BlackBerry Desktop Manager software for Windows PCs. The company recommends all Desktop Manager users update the software immediately.
By Al Sacco
Managing Editor, CIO
BlackBerry smartphone users with Research In Motion’s (RIM) BlackBerry Desktop Manager software installed on Windows PCs–or Mac-based Windows virtual machines–should update the Desktop Manager software immediately, according to RIM.
Any and all BlackBerry Desktop Manager versions prior to v5.0.1 contain a security flaw that could allow malicious parties to remotely execute code on unsuspecting users’ computers, RIM says.
“If the malicious user performs an attack designed to decieve [sic] the legitimate user into clicking a link to a web site that appears to be from a trusted source, and the legitimate user chooses to access that site from the computer that is running the BlackBerry Desktop Manager, the user might be deceived into browsing to a web page that the malicious user has designed to perform remote code execution using the legitimate user’s privileges on the computer.
The BlackBerry Desktop Manager does not need to be running for a malicious user to exploit this vulnerability.”
The specific problem-component within Desktop Manager is the Lotus Notes Intellisync DLL, which RIM says is included by default in all BlackBerry Desktop Manager installations. And the flaw can reportedly be exploited whether or not the DLL is used after installation.
RIM has already released a software update to address the vulnerability, and users could receive automatic Desktop Manager notifications regarding the security fix, depending on which version of the software they employ. If you have not received an automatic update, or you chose not to update immediately, you should download and install the latest version of BlackBerry Desktop Manager from RIM’s website.
RIM also listed the following workaround:
“You can disable the Lotus Notes Intellisync functionality by unregistering the Intellisync component DLL, lnresobject.dll. Disabling the functionality prevents a malicious user from exploiting the vulnerability.
To unregister the DLL on the computer running the BlackBerry Desktop Manager, at a command line enter the command: regsvr32 /u “C:Program FilesResearch In MotionBlackBerryIS71 ConnectorsLotus Notes5.0lnsresobject.dll”
Al Sacco was a journalist, blogger and editor who covers the fast-paced mobile beat for CIO.com and IDG Enterprise, with a focus on wearable tech, smartphones and tablet PCs. Al managed CIO.com writers and contributors, covered news, and shared insightful expert analysis of key industry happenings. He also wrote a wide variety of tutorials and how-tos to help readers get the most out of their gadgets, and regularly offered up recommendations on software for a number of mobile platforms. Al resides in Boston and is a passionate reader, traveler, beer lover, film buff and Red Sox fan.