Research in Motion (RIM), the maker of the BlackBerry smartphone, has issued a security update fixing BlackBerry vulnerabilities affecting the BlackBerry Enterprise Server and the BlackBerry Enterprise Server Express.
The vulnerabilities, which have been given a high severity rating, would allow a hacker to execute remote code on the server. The update affects the BlackBerry Mobile Data Service (MDS) Connection Service component, which processes images on webpages, and the BlackBerry Messaging Agent, which processes PNG and TIFF images for rendering on the BlackBerry smartphone.
RIM said an attacker could use the vulnerability to potentially gain access to other non-segmented parts of the network. To exploit the vulnerabilities in the MDS connection service, the attacker would need to create a specially crafted webpage and then persuade the user to click a link to visit the page. The attacker could provide the link to the user in an email or instant message.
To exploit these vulnerabilities in the BlackBerry Messaging Agent, the attacker would need to embed specially crafted PNG and TIFF images in an email message and send the message to the BlackBerry user. The user would not need to click a link or an image, or view the email message, for the attack to succeed.
RIM suggests a short-term workaround for organisations to disable inline images and rich content for BlackBerry smartphone users.