BlackBerry bitten by PDF distiller security hole

BlackBerry bitten by PDF distiller security hole

Summary: A serious security flaw in the way Research in Motion's BlackBerry Enterprise Server processes PDF files could expose businesses to remote code execution attacks

SHARE:

A serious security flaw in the way Research in Motion's BlackBerry Enterprise Server processes PDF files could expose businesses to remote code execution attacks, the company warned in an advisory.

The vulnerability, discovered in the PDF distiller of the BlackBerry attachment service for the BlackBerry Enterprise Server, could allow a hacker take control of the computer that the BlackBerry Attachment Service runs on.

Here's the gist of the problem from RIM's advisory:follow Ryan Naraine on twitter

The vulnerability could allow a malicious individual to cause buffer overflow errors, leading to a Denial of Service (DoS) condition or possibly arbitrary code execution on the computer that the BlackBerry Attachment Service runs on.

Successful exploitation of this issue requires a malicious individual to persuade a BlackBerry smartphone user to open a specially crafted PDF file on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server. The PDF file may be attached to an email message, or the BlackBerry smartphone user may retrieve it from a web site using the Get Link menu item on the BlackBerry smartphone.

RIM recommends that BlackBerry Enterprise Server administrators to review and apply available patches or consider implementing workaround in the advisory.

Affected software include:

  • BlackBerry Enterprise Server Express version 5.0.2 for Microsoft Exchange
  • BlackBerry Enterprise Server versions 5.0.2, 5.0.1, 5.0.0, 4.1.7 and earlier for Microsoft Exchange
  • BlackBerry Enterprise Server versions 5.0.2, 5.0.1, 5.0.0, 4.1.7 and earlier for IBM Lotus Domino
  • BlackBerry Enterprise Server versions 5.0.1, 4.1.7 and earlier for Novell GroupWise
  • BlackBerry® Professional Software version 4.1.4 and earlier for Microsoft Exchange and IBM Lotus Domino

This issue does not affect BlackBerry smartphones.

Topics: Hardware, Mobility, BlackBerry, Security, Smartphones

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

6 comments
Log in or register to join the discussion
  • RE: BlackBerry bitten by PDF distiller security hole

    This would be a problem if anybody actually opened PDFs on their Blackberry. I've tried it a few times, and no, I can't see jack s*** no matter how much zooming and scrolling I do. And that's after waiting a couple minutes for it to download. I'm yet to see a PDF I can read even a single word from using a Blackberry. Eventually I stopped trying. If an e-mail has a PDF attached, I'll wait until I get to my desktop to try and open it.
    putty.master
  • RE: BlackBerry bitten by PDF distiller security hole

    ROFL PDF on blackberry is a joke.
    Jimster480
  • Essential reading for every hacker...

    These articles must be required reading for every hacker out there. Not only do they explain where all the flaws are, they explain how to exploit them and even say what measures are being taken to patch them, so the prospective hacker will know how to craft his virus to work around them.

    Wonderful stuff! I, for one, couldn't do my work without them.

    Keep 'em coming!
    ulrichburke@...
  • Another security threat!?

    So, when did PDF suddenly become as full of holes as Windows? :P
    ZackCDLVI
    • Must be such a troubled life to be so negatively obssessed with Windows.

      @Zc456: [i]So, when did PDF suddenly become as full of holes as Windows?[/i]

      Maybe there's some type of counseling you could attend?
      ye
  • RE: BlackBerry bitten by PDF distiller security hole

    What exactly can you feel is the distinction involving <a href="http://www.rxshop.md/products/haircare/propecia">generic Propecia</a> and also <a href="http://www.rxshop.md/products/haircare/finpecia">Finpecia online</a>?
    saieazby