RIM Patches New BES Security Flaw, Releases BES 5.0.3 MR3 Update
RIM this week issued new security and maintenance updates for many versions of its BlackBerry Enterprise Server (BES) software, and the company says BES administrators should update immediately to avoid potential security issues.
By Al Sacco
Managing Editor, CIO
BlackBerry-maker Research In Motion (RIM) this week issued a security advisor and a related fix for a newly discovered flaw in a number of versions of its BlackBerry Enterprise Server (BES) software that could allow hackers or other miscreants to access sensitive BES data or even launch a form of denial of service (DoS) attack.
RIM also released a new maintenance update for BES 5.0 Service Pack 3, or 5.0.3, for Microsoft Exchange and Lotus Domino, called BES v.5.0.3 maintenance release 3 (MR3).
The BES vulnerability appears to affect all of the most recent versions of BES 5.0 and BES Express for Exchange, Domino and Novell GroupWise. It has a Common Vulnerability Scoring System (CVSS) rating of 4.8, with 0 representing no significant threat, and 10 representing the most serious threats. RIM recommends that all BES administrators running any of these software versions install the new security updates immediately to address the flaw.
“A vulnerability exists in the BlackBerry Administration API which could allow an attacker to read files that contain only printable characters on the BlackBerry Enterprise Server, including unencrypted text files. Binary file formats, including those used for message storage, are not affected. This vulnerability is limited to the user permissions granted to the BlackBerry Administration API component.
“Successful exploitation of this issue could allow information disclosure. Successful exploitation may also result in resource exhaustion and therefore could be leveraged as a partial denial of service (DoS).”
Along with the security update, RIM also released a new BES maintenance update for BES v5.0 for Exchange and Lotus Domino. BES 5.0.3 MR3, though it did not yet post up any sort of release notes to identify any bug fixes or feature enhancements.
Al Sacco was a journalist, blogger and editor who covers the fast-paced mobile beat for CIO.com and IDG Enterprise, with a focus on wearable tech, smartphones and tablet PCs. Al managed CIO.com writers and contributors, covered news, and shared insightful expert analysis of key industry happenings. He also wrote a wide variety of tutorials and how-tos to help readers get the most out of their gadgets, and regularly offered up recommendations on software for a number of mobile platforms. Al resides in Boston and is a passionate reader, traveler, beer lover, film buff and Red Sox fan.