RIM fixes serious BlackBerry PDF handling flaws

By SearchSecurity.com Staff 13 Jan 2009 | SerchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Research In Motion (RIM) has issued a security update to correct serious flaws in BlackBerry Enterprise Server and BlackBerry Unite software, which can be exploited to execute arbitrary code and gain access to critical data.

SearchSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

In a RIM advisory, the company said multiple flaws exist in the PDF distiller of some versions of the BlackBerry Attachment Service. PDF distillers turn PostScript files into PDF documents.

The flaws have a Common Vulnerability Scoring System (CVSS) score of 9.3. An attacker can exploit the flaws by sending an email with a malicious PDF file. If opened by the user on a BlackBerry, the malicious code could cause memory corruption. It could then "lead to arbitrary code execution on the computer that hosts the BlackBerry Attachment Service," RIM said.

BlackBerry advisories: RIM updates BlackBerry Desktop Software to fix ActiveX flaw: The latest update for BlackBerry Desktop Software includes a fix to an ActiveX vulnerability located in a tool used to synchronize BlackBerrrys and PCs running Microsoft Windows. BlackBerry server faced with critical zero-day: A serious PDF handling flaw in BlackBerry Enterprise Server could be exploited by attackers to gain access to sensitive information.

In a separate advisory, RIM said the BlackBerry Unite software is also affected by the PDF distiller flaw.

Danish vulnerability clearinghouse, Secunia gave the flaws a highly critical rating in its advisory.

The flaws affect BlackBerry Enterprise Server software version 4.1 Service Pack 3 through 4.1 Service Pack 6 and BlackBerry Professional Software 4.1 Service Pack 4. BlackBerry Unite software versions earlier than 1.0 Service Pack 3 are also affected. Users of BlackBerry Unite can upgrade to the latest version. Security Update 2 has also been issued to fix the vulnerabilities.

As a workaround, RIM said customers can prevent the BlackBerry Attachment Service from processing PDF files in the BlackBerry Unite environment.

Sean Larsson of iDefense Labs discovered the vulnerabilities.

Tags: Handheld and Mobile Device Security Best Practices,  Security Patch Management,  Smartphone and PDA Viruses and Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Handheld and Mobile Device Security Best Practices RIM patches serious BlackBerry Attachment Service flaws How secure are iPhone App Store mobile applications? Is there a spy on my mobile device? Mobile phones win during Pwn2Own contest Latest Apple iPhone features prompt security concerns Apple iPhone app could boost two-factor What Obama's Blackberry means for mobile device security SMS mobile worm attacks Symbian smartphones Smartphone security lacking at many businesses Firms show DLP interest to monitor social networking traffic, survey finds Handheld and Mobile Device Security Best Practices Research Security Patch Management Mozilla patches 11 Firefox security flaws, JavaScript errors Microsoft patches WebDAV security vulnerability in bevy of updates Adobe issues first quarterly patch release fixing 13 flaws Microsoft plans 10 security updates, fixing IE, Word, Excel vulnerabilities Adobe shifts to Microsoft patching process, incident response plan Software delivery could fix software patching issues Microsoft updates Office to address serious PowerPoint vulnerabilities Microsoft to patch critical PowerPoint zero-day flaw Firefox update addresses several security flaws Microsoft patches serious Excel zero-day, Windows flaws Smartphone and PDA Viruses and Threats RIM patches serious BlackBerry Attachment Service flaws Latest Apple iPhone features prompt security concerns SMS mobile worm attacks Symbian smartphones Smartphone security lacking at many businesses RIM warns of serious vulnerability in BlackBerry Web loader How easily can spyware be placed on a mobile phone? Should enterprises ban USBs because the DoD banned them? RIM updates BlackBerry Desktop Software to fix ActiveX flaw Do mobile devices put sensitive data at risk when used overseas? Apple iPhone 2.2 update includes critical security patches

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary attack vector  (SearchSecurity.com) back door  (SearchSecurity.com) ethical worm  (SearchSecurity.com) Patch Tuesday  (SearchSecurity.com) zero-day exploit  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary