RIM closes another BlackBerry PDF vulnerability
According to Research In Motion (RIM), a specially crafted PDF file can be used by an attacker to gain control of a BlackBerry Enterprise server. As with several previous vulnerabilities, the problem is in the PDF distiller of the BlackBerry Attachment service which pre-processes documents on the server so they can be easily read on a BlackBerry device.
Opening the crafted PDF document on a BlackBerry smartphone client triggers the server error, causing memory corruption which leads to the execution of arbitrary code. According to RIM, BlackBerry Enterprise Server 4.1.3, 5.0 and BlackBerry Professional 4.1.4 are affected. The Interim Security Software Update 2 for Enterprise Server 5.0 and Update 4 for Enterprise Server 4.1.3 and Professional fix the problem.
While RIM have released updates to the applications, in the interim they advise disabling PDF file processing on the BlackBerry server and give instructions on how to do so in the advisory.
- Vulnerabilities in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server, security advisory from RIM.