BES image flaws open door to attacks

Research In Motion has warned of five flaws in the image-rendering process in BlackBerry Enterprise Server that could be used by an outside attacker to run software on an infected system.

In a security advisory, the company said the vulnerabilities, which are rated 'critical', lie in how components in BlackBerry Enterprise Server (BES) processes .png and .tiff images for rendering images on a BlackBerry handset. The vulnerable components are the Mobile Data System (MDS), which processes images on web pages that the BlackBerry browser requests, and the Messaging Agent, which handles images in emails.

"Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server," RIM said in the security advisory on Tuesday. "Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network."

BES provides businesses with a secure platform that connects to messaging and collaboration software, such as Microsoft Exchange contact, calendaring and email software. The company noted that the vulnerabilities do not pose a threat to its handsets or other devices.

Vulnerabilities

To exploit the flaws in MDS, an attacker would need to create a malicious web page and convince the BlackBerry owner to click on a link to the page, sent via email or instant message.

With the Messaging Agent, the attacker only needs to embed a malicious .png or .tiff image in an email and then send that to the target smartphone. The user does not need to click or open the image for this attack to be successful, RIM said.

Like other BlackBerry-related vulnerabilities we've seen in the past, the potential attack is against the BlackBerry Enterprise Server used by businesses.

– Graham Cluley, Sophos

Graham Cluley, senior technology consultant at security company Sophos, said that he had not seen any evidence of the flaws being exploited in the wild. He also underlined that the weaknesses affect BES only and not the handsets specifically.

"Like other BlackBerry-related vulnerabilities we've seen in the past, the potential attack is against the BlackBerry Enterprise Server used by businesses," Cluley said. "The phones still have a part to play, of course, as the BlackBerry user has to be tricked into clicking on a link or visiting a boobytrapped webpage containing the malformed .png or .tiff file that allows code to run on the BES."

RIM has issued a patch to replace the vulnerable image.dll file in all affected versions of the BES software. These include BES editions for Microsoft Exchange, IBM Lotus Domino and Novell Groupwise, as well as BES Express 5.0.x versions for Exchange and Lotus Domino.