Research in Motion (RIM) has shipped a patch to cover a gaping hole in its BlackBerry Desktop Manager software.
The vulnerability, which exists in a Lotus Notes Intellisync DLL that the BlackBerry Desktop Manager uses, allows a malicious user to perform an attack that leverages social engineering to achieve remote code execution on the computer running the BlackBerry Desktop Manager.
If the legitimate (logged in) user clicks a link to a malicious web site (for example, in an email message, in a browser, or an instant message) on the computer that is running the BlackBerry Desktop Manager, a vulnerability in an Intellisync component could allow the malicious user who sent the link or created the malicious web site to execute code on the computer using the privileges of the legitimate user.
The flaw affects BlackBerry Desktop Software version 5.0 and earlier (on all platforms). It carries a severity score (CVSS) rating of 9.3.
In addition to the patch, RIM also offers a few mitigations:
If you do not require the Lotus Notes Intellisync function you can disable it to prevent a malicious user from exploiting the vulnerability.
RIM recommends that users exercise caution when clicking on links that they receive from untrusted sources, and links to untrusted web sites in browsers.