Blackberry security flaw

Posted
on July 16, 2008

Research in Motion, makers of the Blackberry, has warned businesses to disable the function which allows a BlackBerry to read PDF files, after a security flaw was found in the software.

A “high” severity flaw affecting how BlackBerry Enterprise Server (BES) opens PDF files may be used to compromise a network. RIM disclosed the flaw last week but is yet to issue a patch, stating that no timeframe for a fix was available.

Until then, customers asre advised to disable the BlackBerry Attachment Service, which allows BES to process PDF attachments for users to view on their BlackBerry devices. The flaw relates to how the service processes PDF files, which can be exploited via a maliciously crafted PDF.

Vulnerable systems include BES software version 4.1 Service Pack 3 (4.1.3) through to 4.1 Service Pack 5 (4.1.5). RIM has given the advisory a “high” severity rating.

“If a BlackBerry smartphone user on a BlackBerry Enterprise Server opens and views the specially crafted PDF file attachment on the BlackBerry smartphone, the arbitrary code execution could compromise the computer,” RIM states on its advisory.

According to Sense of Security’s principal consultant, Jason Edelstein, this means that corporate networks are at risk due to the flaw. Most organisations place the BES within key networks, such as email servers, giving it privileged access to other computers on that network.

“Most organisations put the BES on an internal server on the network, which actually is a conduit between the internal server and RIM’s servers based in Canada,” he said.

“If someone loses their device and it’s not locked in some way, you could browse internally to that company’s Web-based resources,” he said.

“The way the end user can determine if they are vulnerable is to try to open the browser on the BlackBerry and attempt to access your intranet resources — if it comes up on the BlackBerry and you know it’s not published on the internet, that should raise alarm bells.”

Blackberry/RIM Knowledgebase article

 

Mobile Phones, News, Security, Software
Reader Comments

No comments yet.

Add Your Comments

(required)

(required)


Please keep your comments relevant to this blog entry.
Email addresses are never displayed, but they are required to confirm your comments.