The flaw in the PDF distiller of the BlackBerry attachment service for the BlackBerry
Enterprise Server, could allow a hacker take control of the computer that the
BlackBerry Attachment Service runs on.
Research In Motion (RIM) describes the vulnerability in an advisory:
The vulnerability could allow a malicious individual to
cause buffer overflow errors, leading to a Denial of Service (DoS) condition or possibly arbitrary code execution on the computer that the BlackBerry Attachment Service runs on.
Successful exploitation of this issue requires a malicious individual to persuade a BlackBerry smartphone user to open a specially crafted PDF file on a BlackBerry smartphone that is associated with a user account on a BlackBerry
Enterprise Server. The PDF file may be attached to an email message, or the BlackBerry smartphone user may retrieve it from a web site using the Get Link menu item on the BlackBerry smartphone.
RIM advises administrators to apply the latest patches as outlined in the advisory.
The following server software is affected:
- BlackBerry Enterprise Server
Express version 5.0.2 for Microsoft Exchange
- BlackBerry Enterprise Server versions 5.0.2, 5.0.1, 5.0.0, 4.1.7 and earlier for Microsoft Exchange
- BlackBerry Enterprise Server versions 5.0.2, 5.0.1, 5.0.0, 4.1.7 and earlier for IBM Lotus Domino
- BlackBerry Enterprise Server versions 5.0.1, 4.1.7 and earlier for Novell
- BlackBerry® Professional Software version 4.1.4 and earlier for Microsoft Exchange and IBM Lotus Domino
While Blackberry smartphones are not affected RIM recommends that users exercise caution when receiving email messages from untrusted sources, and opening files at the direction of untrusted sources.