RIM to BlackBerry Admins: Beware New BES Security Flaw

BlackBerry-maker Research In Motion (RIM) has issued a critical security advisory related to a flaw in its BlackBerry Enterprise Server (BES) software that could enable hackers to execute malicious code and hijack infrastructure. The vulnerability is currently ranked as both a 9.2 and 5.7 on a scale of 0 to 10, with 10 representing the most critical flaws.

The vulnerability relates to the PDF distiller component in the BES BlackBerry Attachment Service, which controls the way PDF files are handled in a BES environment. The PDF distiller is a problem area for RIM and its BES software; a variety of security flaws have been identified within the component during the past years, and RIM has issued a number of similar advisories, most recently last July.

BlackBerry administrators running BES 4.1 service pack 3 (v4.1.3) or higher should visit RIM's server download page immediately to update their software and resolve the issue. BES 4.1.2 and earlier is not affected by the flaw, RIM says.

The new vulnerability is ranked as both a 9.2 and 5.7 on the Common Vulnerability Scoring System (CVSS), because tools to help combat the issue are available from Microsoftfor Windows BES software, reducing the threat level in some cases.

Earlier this week, RIM released BES 5.0 SP1 for both Microsoft Exchange and Lotus Domino. BES 5.0 SP1 users should also visit RIM's server downloads page to install the required security update, according to RIM.

From the security advisory:

"Multiple security vulnerabilities exist in the PDF distiller of some released versions of the BlackBerry Attachment Service component of the BlackBerry Enterprise Server. These vulnerabilities could enable a malicious individual to send an email message containing a specially crafted PDF file, which when opened for viewing on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server, could cause memory corruption and possibly lead to a Denial of Service (DoS) condition or arbitrary code execution on the computer that hosts the BlackBerry Attachment Service component of that BlackBerry Enterprise Server."

RIM recommends updating affected BES software immediately, and admins may also choose to disable PDF processing in the BlackBerry Attachment Service. Specific instructions on how to do so are also available on RIM's site, along with general BlackBerry security information.

RIM also identified another less-severe bug in some versions of its new BES 5.0 SP1, which causes users' address book listings to disappear after the 5.0 SP1 upgrade. The BlackBerry-maker has not yet issued an official fix for this problem, but additional information and a workaround can be found on RIM's site.

More from IDG: