Vulnerabilities that could be exploited to remotely execute arbitrary code have been identified in BlackBerry Enterprise Server components. In order to address the issues, RIM has released BlackBerry Enterprise Server 5.0.4 MR2.According to the advisory published by the company, the security holes affect the components that process TIFF images for rendering on BlackBerry smartphones.
In some cases, the security holes could also be leveraged to allow the attacker to extend access to other parts of the network.
In order to exploit the vulnerabilities that affect the Mobile Data System’s Connection Service component, the attacker would have to create a malicious webpage and convince the victim to access it.
The flaws that affect the BlackBerry Messaging Agent or the BlackBerry Collaboration Service components are more dangerous because there’s no user interaction required for the attack to be successful. The attacker must simply attach a specially-crafted TIFF image to an email or an instant message and send it to a BlackBerry smartphone.
“The user does not need to click a link or an image, or view the email message or instant message for the attack to succeed in this scenario,” the company explained.
RIM is not aware of any attacks that have leveraged these vulnerabilities, but taking into account the fact that they are considered to be of high severity, the company advises customers to update to the latest version to ensure they’re fully protected.
In addition to BlackBerry Enterprise Server 5.0.4 MR2, which can be applied to all supported versions of the product, RIM has also released an interim security update.
The interim update addresses the vulnerabilities, but it doesn’t contain other changes found in the latest version of Enterprise Server.
The updates and the complete advisory are available here.