BlackBerry haunted by critical PDF distiller flaw

BlackBerry haunted by critical PDF distiller flaw

Summary: Research in Motion (RIM) has acknowledged a critical security flaw in the way its BlackBerry Enterprise Server processes PDF files.

SHARE:

Research in Motion (RIM) has acknowledged a critical security flaw in the way its BlackBerry Enterprise Server processes PDF files and warned that hackers can use PDF attachments to launch harmful code.

Here's the skinny on the problem, via RIM's advisory:

follow Ryan Naraine on twitter

The vulnerability could allow a malicious individual to cause buffer overflow errors, which may result in arbitrary code execution on the computer that hosts the BlackBerry Attachment Service. While code execution is possible, an attack is more likely to result in the PDF rendering process terminating before it completes. In the event of such an unexpected process termination, the PDF rendering process will restart automatically but will not resume processing the same PDF file.

Successful exploitation of this vulnerability requires a malicious individual to persuade a BlackBerry smartphone user to open a specially crafted PDF file on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server. The PDF file may be attached to an email message or the BlackBerry smartphone user may retrieve it from a web site using the BlackBerry Browser.

The alert includes information on vulnerable versions of the software and download locations for patches.  It also includes workarounds.

Topics: Hardware, Mobility, BlackBerry, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

9 comments
Log in or register to join the discussion
  • Let me get this right........

    "Successful exploitation of this vulnerability requires a malicious individual to persuade a BlackBerry smartphone user to open a specially crafted PDF file on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server"

    So what you are REALLY saying is simply opening a .pdf attachment from your phone can cause your server to be pwned!! Jeesh...a little wordy when they try to cover up a MASSIVE MASSIVE exploit.

    Instead they should be saying "DO NOT OPEN PDF's from your Black Berry" but that hurts the bottom line too much!
    ctunk
    • RE: BlackBerry haunted by critical PDF distiller flaw

      @ctunk

      Actually on the BES if you so desire you can turn off PDF support. Pretty much useless though as PDF is one of the primary document types passed around via email.

      If this a BES issue or PDF flaw? The fix while annoying is a very quick fix and I have it scripted. Total time to patch is less then a minute and be back secure. If you really want you can offload the attachment service to a dedicated VM box and keep your BES secure.
      MobileAdmin
      • Wait...wha?

        @MobileAdmin<br><br>You mean with the simple 'flip of a switch' you can disable all of the handhelds (BB's) across your enterprise from being able to open PDF's???<br><br>It's as simple as getting on the BES server, removing PDF as one of the file attachments that the handhelds can open? And, you can then force the update to instantly push out OTA to all the handhelds so it instantly updates the policy on each device??? no messing with wires? no messing with config files? no individual synching? no client workstation software needed? [i]no individual's credit card # needed?[/i]<br><br>Wow...something that granular and scalable would be...well, for lack of a better word, <i>revolutionary</i>!<br><br>/sarcasm<br><br>Ok, now lets get back to the Apple post of earlier today and talk about how ready <i>other</i> phones are for the enterprise, and how consumerization of IT is definitely the way to go.
        SonofaSailor
    • It also works the other way...

      @ctunk <br><br><i>So what you are REALLY saying is simply opening a .pdf attachment from your phone can cause your server to be pwned!!</i><br><br>Since everything for BB's goes through the BES Server, you manage the devices in a manner to keep your server safe. Similar to you manage workstations to keep file servers, domain controllers, etc., safe.<br><br>For instance, using a BES server, if you have internet filtering software, such as Websense, that filters and blocks internet traffic for the BES Server, that is applied to the handhelds as well. So the Blackberry users can't go to a website that would be likely to serve up said PDF. This also keeps the BB users off porn sites, gambling, other no-no sites. Now, of course, email would be the primary route, but more than likely most companies have spam filters in place to mitigate that threat.<br><br>admittedly, though there is a caveat...since the handhelds web traffic goes through the BES server which is connected to the LAN, it's possible to reach web consoles for devices like switches, SAN web console mgmt, printer web consoles, any intranet site, etc.; unless further precautions are taken to keep the BES server from being to reach these addresses on the LAN.<br><br>Some could see that as a benefit - hey I can control my SAN from my Blackberry with no software or apps required - but some would see that as a risk...if I lose my phone and it's unlocked, someone else could manage my SAN.
      SonofaSailor
  • Sign of the Times

    I find it ironic that this MASSIVE flaw is receiving nothing more than just a "passing glance" at best by most people (other than BB Admins or IT Security folks) - If this happened on the iPhone it would be Front Page news and the topic of watercooler conversations world wide. "It's a BlackBerry, NOBODY cares"
    smoody
    • Well, that's not quite it...

      @smoody <br><br>Yes, it's a security risk for both platforms - iPhone and BB. And both have been affected by malicious PDFs - BB with this exploit, and iPhone with a PDF that would jailbreak/root the phone.<br><br>The difference is, with BB, the vulnerability can be mitigated against in a matter of 1 minute. Simply disable the opening of PDFs on the handhelds on the BES server, send the updated IT Policy out to all devices, and Voila, it's mitigated against until the IT Admin feels like downloading and installing the patch on the BES server. Imagine trying the iPhone workaround for 50 or so devices on a network (was there a workaround until Apple released a software update?)<br><br>And, to answer the forth coming reply of "oh, disabling PDFs isn't a legit workaround, I should be able to view PDFs on my phone..." I say: I've viewed PDFs on iPhone, BB, and Droid...and none of them are a pleasant experience. So the end user is not losing a whole lot.

      It's not so much "It's a Blackberry, NOBODY cares"...it's just [i]because[/i] it's a Blackberry, it's so easily manageable and fixed. By [i]one[/i] person, [i]one[/i] time.
      SonofaSailor
      • RE: BlackBerry haunted by critical PDF distiller flaw

        @SonofaSailor -once again, you're missing the point. No one is debating the aspects of Centralized Management, rather it's a sad comment on how far the relevance of the BlackBerry has fallen. Not even a Major Security flaw can get the interest of it's User Community, let alone anyone else. I purposely asked several BB users today about this and not only did they not know about it , NO ONE really seemed to care that much about it!! Then again to your point, with a lack-luster, document unfriendly device like the BB, who would want to open a PDF anyways?? Are you next going to claim this was BBs Security Model all along - "Secured by Lack of Usefulness"
        smoody
      • RE: BlackBerry haunted by critical PDF distiller flaw

        @smoody

        This is not something new, there has been an ongoing PDF risk for over a year. Hackers find a new vertical in PDF to attack, RIM issues a fix to correct it. Since there are means to correct the issue and mitigate the risk it's a non issue for those that manage the Blackberry solution. I can open and view attachments just fine (and more attachment types) on BB vs. iPhone. You do realize Blackberry has Documents to Go now right?

        I also feel you are comparing totally different users. Blackberry users are just using their device and it works. Most of our users (8,000+) would likely not even own a smartphone if we didn't provide it.
        MobileAdmin
  • RE: BlackBerry haunted by critical PDF distiller flaw

    ewet dedim ama neyse
    http://www.bbgporn.com/
    http://www.hmmtube.com/
    dogru deme
    http://www.erotiktube.org/
    http://www.52tube.com/
    http://www.wctube.com/
    http://www.cameporn.com/
    http://www.escortbayan9.com/
    tamam dedim
    myclub