BlackBerry PDF flaw exposes corporate networks

BlackBerry maker Research in Motion is warning businesses to disable the function which allows a BlackBerry to read PDF files until it can issue an update, after a security flaw was found in the company's software.

BlackBerry maker Research in Motion is warning businesses to disable the function which allows a BlackBerry to read PDF files until it can issue an update, after a security flaw was found in the company's software.

A "high" severity flaw affecting how BlackBerry Enterprise Server (BES) opens PDF attachments could be used to compromise a corporate network. Research in Motion quietly disclosed the flaw last week but is yet to issue a patch.

"This issue has been escalated internally to our development team. No resolution time frame is currently available," RIM states in its advisory.

Until it can issue a patch, RIM has warned customers to disable the BlackBerry Attachment Service, which allows BES to process PDF attachments for users to view on their BlackBerry devices. The flaw concerns how the BlackBerry Attachment Service processes PDF files, which can be exploited via a maliciously crafted PDF.

Vulnerable systems include BES software version 4.1 Service Pack 3 (4.1.3) through to 4.1 Service Pack 5 (4.1.5). RIM has given the advisory a "high" severity rating.

"If a BlackBerry smartphone user on a BlackBerry Enterprise Server opens and views the specially crafted PDF file attachment on the BlackBerry smartphone, the arbitrary code execution could compromise the computer," RIM states on its advisory.

According to Sense of Security's principal consultant, Jason Edelstein, this means that corporate networks are at risk due to the flaw. Most organisations place the BES within key networks, such as email servers, giving it privileged access to other computers on that network.

"Given the BES needs to access the data store from the mail server, obviously that's quite a high privilege. If you can execute with the privileges of BES, it's significant what you could do on an email server or another domain name service," he said.

RIM is aware of this weakness and says in its advisory that the BlackBerry Attachment Service can be installed on a remote computer in an isolated environment to prevent attacks affecting other computers.

According to Maarten Van Horenbeeck, a security researcher at the Internet Storm Centre, "This vulnerability is ... one of those cases where it appears the BlackBerry, which opens a file, may be at risk, but what is really exposed is the enterprise set-up housed in the centre of the corporate network."

The Australian Defence Signals Directorate last year issued guidelines on how government agencies should configure a BlackBerry service to run with Microsoft Exchange Server version 5.5.

Sense of Security's Edelstein said there were "quite a few architectural problems" with BlackBerry implementations. "Most organisations put the BES on an internal server on the network, which actually is a conduit between the internal server and RIM's servers based in Canada," he said.

"If someone loses their device and it's not locked in some way, you could browse internally to that company's Web-based resources," he said.

"The way the end user can determine if they are vulnerable is to try to open the browser on the BlackBerry and attempt to access your intranet resources — if it comes up on the BlackBerry and you know it's not published on the internet, that should raise alarm bells."