main

BlackBerry PDF flaw exposes corporate networks

Tom Warren   on 17 July 2008 - 07:56 · 11 comments & 7012 views

Advertisement (Why?)
BlackBerry maker Research in Motion is warning businesses to disable the function which allows a BlackBerry to read PDF files until it can issue an update, after a security flaw was found in the company's software.

A "high" severity flaw affecting how BlackBerry Enterprise Server (BES) opens PDF attachments could be used to compromise a corporate network. Research in Motion quietly disclosed the flaw last week but is yet to issue a patch.

"This issue has been escalated internally to our development team. No resolution time frame is currently available," RIM states in its advisory.

Until it can issue a patch, RIM has warned customers to disable the BlackBerry Attachment Service, which allows BES to process PDF attachments for users to view on their BlackBerry devices. The flaw concerns how the BlackBerry Attachment Service processes PDF files, which can be exploited via a maliciously crafted PDF.

Vulnerable systems include BES software version 4.1 Service Pack 3 (4.1.3) through to 4.1 Service Pack 5 (4.1.5). RIM has given the advisory a "high" severity rating.

"If a BlackBerry smartphone user on a BlackBerry Enterprise Server opens and views the specially crafted PDF file attachment on the BlackBerry smartphone, the arbitrary code execution could compromise the computer," RIM states on its advisory.

View: ZDNet

Share this Article

About the Author

Full name: Tom Warren
User name: creamhackered
Contact: via forum PM
Submissions: View All
More: View Bio   New!

Related news

Post a comment · Send to friend Comments · There are 11 additional comments
(3 replies) #1 +Lexcyn on 17 Jul 2008 - 12:37
Yeah right. Like big companies are going to disable the attachment service. Too many people rely on it for it to be disabled. If we ever did that, we would have a riot of angry executives on our hands.

However, if a virus or worm gets in .... lol.
#1.1 4tehlulz on 17 Jul 2008 - 13:22
Yeah, no kidding. There's no way that our IT dept. is going to disable PDF viewing. Too many people depend on it.
#1.2 iCarry on 17 Jul 2008 - 13:35
(4tehlulz said @ #1.1)
Yeah, no kidding. There's no way that our IT dept. is going to disable PDF viewing. Too many people depend on it.


I've disabled it, and sent email to the BlackBerry users group. They can check pdf attachments via OWA until RIM issues a patch, and the server is patched.

You all can take chances with your BES and email servers, good luck with that, but I'm not going to.
#1.3 +Lexcyn on 17 Jul 2008 - 14:50
(iCarry said @ #1.2)
(4tehlulz said @ #1.1)
Yeah, no kidding. There's no way that our IT dept. is going to disable PDF viewing. Too many people depend on it.


I've disabled it, and sent email to the BlackBerry users group. They can check pdf attachments via OWA until RIM issues a patch, and the server is patched.

You all can take chances with your BES and email servers, good luck with that, but I'm not going to.

When you have over 20,000 Blackberry users, most of whom are executives, you would be murdered in your sleep for disabling something like this lol. Trust me, in our organization it won't fly. Believe me though I would have it disabled if I could.
(1 reply) #2 iCarry on 17 Jul 2008 - 13:05
Running BES 4.1.4.3 here. Since the article didn't bother to link to the RIM KB article, here it is:

RIM KB article with resolution
#2.1 creamhackered on 17 Jul 2008 - 13:46
What exactly does it matter if you are running 4.1.4.3 or not, it's still vulnerable!
(1 reply) #3 J0HN on 17 Jul 2008 - 15:08
We just disabled just now as well....Err on the side of caution. Whats worse sending an email to your handheld users stating you are disabling this service (they can still open via outlook/owa), or running into an issue where the BES is compromised and you have been aware of it.
#3.1 vetneufuse on 17 Jul 2008 - 18:04
(J0HN said @ #3)
We just disabled just now as well....Err on the side of caution. Whats worse sending an email to your handheld users stating you are disabling this service (they can still open via outlook/owa), or running into an issue where the BES is compromised and you have been aware of it.


Or worse yet our situation... "fix the problem"... like we can fix blackberry's issues... combined with "keep the PDF's working on the phones" and "do what you have to so we can prevent an issue"... talk about confusing directives...
#4 vetneufuse on 17 Jul 2008 - 17:36
Yeah disable it and get fired in the process....... i dont think so
#5 J0HN on 17 Jul 2008 - 19:28
I suppose we are lucky, explaining this issue to higher ups and explain what could happen. Once that was done is was easy to move forward w/ the disable..
#6 HalcyonX12 on 18 Jul 2008 - 15:45
Why do companies insist on putting sensitive data on servers that are exposed to the outside? Even then laptops are stolen/lost, same with USB keys... it seems like now businesses are hemorrhaging sensitive data. Soon there may not be even such a thing as a trade secret!

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Advertisement (Why?)
News powered by Neowin Management System (Build - 5.0.899) © 2000 - 2008 Neowin.net