BlackBerrys at risk from PDF flaw

Research In Motion has pushed out patches for critical security issues in its Blackberry Enterprise Server middleware product.

BlackBerry Enterprise Server (BES) suffers from multiple vulnerabilities in its attachment service, RIM said in a security advisory on Tuesday. The memory corruption flaws in BlackBerry Attachment Service could allow an attacker to send a malformed PDF to a smartphone. If the document is opened, it could crash the service or give the hacker unfettered access to a computer hosting the service, the company said. BlackBerry Attachment Service is a component of BES.

The security holes affect PDF distillers in BES version 5.0.0 for Windows Server 2008, 2003, and 2000. The flaws on systems running BES 5.0.0 for Windows Server 2000 are more serious, said the handset maker, as Windows Server 2008 and 2003 have default security settings that mitigate the severity of the flaws.

Vulnerabilities are also present in BES versions 4.1.3 to 4.1.7, and Blackberry Professional Software 4.1.4.

RIM recommended that administrators upgrade to unaffected versions of BES — for example, for BES 5.0 for Exchange and Domino, they should move to 5.0.1. Alternatively, IT managers can apply interim security updates, according to the advisory. A workaround is to disable BAS.

BlackBerry Attachment Service has suffered various vulnerabilities over several years. For example, it had a similar PDF distiller flaw in July last year. The component was last patched in May, and it has been patched five times this year.