RIM closes critical holes in Blackberry
Groomed PDF files that can be used to attack a BlackBerry server, are at the root of a security update from RIM. According to RIM's report, a bug in the PDF distiller element of the Attachment Service makes it vulnerable to an attacker taking control of the server. The Attachment Service allows BlackBerry users to view documents more easily on their device by having the server pre-process them. The problem can only be provoked when a BlackBerry user wants to view a PDF attachment.
RIM fixed a similar problem in mid 2008, and again has provided updates for BlackBerry Enterprise Server, versions 4.1.3 to 4.1.6, BlackBerry Professional Software Service Pack 4 (4.1.4) and BlackBerry Unite versions before service pack 1.0.3.
As a workaround, RIM recommends that the processing of PDFs be disabled in the Attachment service, and gives instructions on how to do this in the advisories. As RIM have assigned the vulnerabilities a 9.3 out of 10 on the Common Vulnerability Scoring System (CVSS), administrators should act quickly.
- Vulnerabilities in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server, RIM advisory
- Vulnerabilities in the PDF distiller of the BlackBerry Attachment Service for BlackBerry Unite, RIM advisory
- Critical vulnerability in BlackBerry Enterprise Server, heise Security report