BlackBerry PDF flaw exposes corporate networks

BlackBerry maker Research in Motion is warning businesses to disable the function which allows a BlackBerry to read PDF files until it can issue an update, after a security flaw was found in the company's software.

A "high" severity flaw affecting how BlackBerry Enterprise Server (BES) opens PDF attachments could be used to compromise a corporate network. Research in Motion quietly disclosed the flaw last week but is yet to issue a patch.

"This issue has been escalated internally to our development team. No resolution time frame is currently available," RIM states in its advisory.

Until it can issue a patch, RIM has warned customers to disable the BlackBerry Attachment Service, which allows BES to process PDF attachments for users to view on their BlackBerry devices. The flaw concerns how the BlackBerry Attachment Service processes PDF files, which can be exploited via a maliciously crafted PDF.

Vulnerable systems include BES software version 4.1 Service Pack 3 (4.1.3) through to 4.1 Service Pack 5 (4.1.5). RIM has given the advisory a "high" severity rating.

"If a BlackBerry smartphone user on a BlackBerry Enterprise Server opens and views the specially crafted PDF file attachment on the BlackBerry smartphone, the arbitrary code execution could compromise the computer," RIM states on its advisory.

View: ZDNet

Report a problem with article
Previous Story

Microsoft Opens Up Live Mesh Tech Preview To The Public.

Next Story

Magic Utilities 2008 version 5.50 is available

11 Comments

Commenting is disabled on this article.

Why do companies insist on putting sensitive data on servers that are exposed to the outside? Even then laptops are stolen/lost, same with USB keys... it seems like now businesses are hemorrhaging sensitive data. Soon there may not be even such a thing as a trade secret!

I suppose we are lucky, explaining this issue to higher ups and explain what could happen. Once that was done is was easy to move forward w/ the disable..

We just disabled just now as well....Err on the side of caution. Whats worse sending an email to your handheld users stating you are disabling this service (they can still open via outlook/owa), or running into an issue where the BES is compromised and you have been aware of it.

(J0HN said @ #3)
We just disabled just now as well....Err on the side of caution. Whats worse sending an email to your handheld users stating you are disabling this service (they can still open via outlook/owa), or running into an issue where the BES is compromised and you have been aware of it.

Or worse yet our situation... "fix the problem"... like we can fix blackberry's issues... combined with "keep the PDF's working on the phones" and "do what you have to so we can prevent an issue"... talk about confusing directives...

Yeah right. Like big companies are going to disable the attachment service. Too many people rely on it for it to be disabled. If we ever did that, we would have a riot of angry executives on our hands.

However, if a virus or worm gets in .... lol.

(4tehlulz said @ #1.1)
Yeah, no kidding. There's no way that our IT dept. is going to disable PDF viewing. Too many people depend on it.

I've disabled it, and sent email to the BlackBerry users group. They can check pdf attachments via OWA until RIM issues a patch, and the server is patched.

You all can take chances with your BES and email servers, good luck with that, but I'm not going to.

(iCarry said @ #1.2)

I've disabled it, and sent email to the BlackBerry users group. They can check pdf attachments via OWA until RIM issues a patch, and the server is patched.

You all can take chances with your BES and email servers, good luck with that, but I'm not going to.


When you have over 20,000 Blackberry users, most of whom are executives, you would be murdered in your sleep for disabling something like this lol. Trust me, in our organization it won't fly. Believe me though I would have it disabled if I could.