RIM Patches Yet Another PDF-Related BlackBerry Enterprise Server (BES) Flaw
Another day, another "critical" PDF-related security flaw in Research In Motion's (RIM) BlackBerry Enterprise Server (BES). A new security update for various versions of BES, released today, should resolve the current issue...for now.
By Al Sacco
Managing Editor, CIO
That pesky PDF distiller in Research In Motion’s (RIM) BlackBerry Enterprise Server (BES) BlackBerry Attachment Service has yet again been identified as a security risk, and RIM has issued another “interim security update” to patch the vulnerability.
The vulnerability could allow a malicious individual to cause buffer overflow errors, which may result in arbitrary code execution on the computer that hosts the BlackBerry Attachment Service. While code execution is possible, an attack is more likely to result in the PDF rendering process terminating before it completes. In the event of such an unexpected process termination, the PDF rendering process will restart automatically but will not resume processing the same PDF file.
Successful exploitation of this issue requires a malicious individual to persuade a BlackBerry smartphone user to open a specially crafted PDF file on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server. The PDF file may be attached to an email message, or the BlackBerry smartphone user may retrieve it from a web site using the Get Link menu item on the BlackBerry smartphone.
The following BES versions are affected and should be updated immediately, according to RIM:
BlackBerry Enterprise Server Express version 5.0.1 and 5.0.2 for Microsoft Exchange
BlackBerry Enterprise Server Express version 5.0.2 for IBM Lotus Domino
BlackBerry Enterprise Server versions 4.1.3 through 5.0.2 for Microsoft Exchange and IBM Lotus Domino
BlackBerry Enterprise Server versions 4.1.3 through 5.0.1 for Novell GroupWise
BlackBerry Professional Software version 4.1.4 for Microsoft Exchange and IBM Lotus Domino
These PDF-distiller-related BlackBerry Attachment Service vulnerabilities in BES are anything but uncommon at this point. In fact, RIM issued at least four different PDF-distiller-related security updates since the summer of 2008. (Find information on those previous BES security flaws here, here, here and here.)
For a company that prides itself on security, this is really not a good thing. To be fair, no software is 100 percent foolproof, or secure, and RIM typically notifies its customers of any newly-discovered flaws promptly so they can update accordingly. But I must say, if I was a “malicious person” looking to exploit BlackBerry infrastructure, I would’ve started targeting this troublesome PDF distiller long ago. These repeated flaws seem to suggest that this latest vulnerability won’t likely be the last…
Al Sacco was a journalist, blogger and editor who covers the fast-paced mobile beat for CIO.com and IDG Enterprise, with a focus on wearable tech, smartphones and tablet PCs. Al managed CIO.com writers and contributors, covered news, and shared insightful expert analysis of key industry happenings. He also wrote a wide variety of tutorials and how-tos to help readers get the most out of their gadgets, and regularly offered up recommendations on software for a number of mobile platforms. Al resides in Boston and is a passionate reader, traveler, beer lover, film buff and Red Sox fan.