RIM Delivers Security Patch for BES PDF Vulnerability

Canadian mobile phone maker Research In Motion has just issued a critical security advisory which is related to a flaw in its BlackBerry Enterprise Server (BES) software. The company says that the vulnerability, which is ranked as both a 9.2 and 5.7 on a scale of 0 to 10, could enable a hacker to execute malicious code and take control of the infrastructure.

The newly discovered vulnerability is related to the PDF distiller component included in the BES BlackBerry Attachment Service, and which is in charge with the control of the manner in which PDF files are handled in a BES environment. This is not the first time security flaws are discovered in the PDF distiller of RIM's BES software, most of you might already know that.

Here's what the security advisory says: “Multiple security vulnerabilities exist in the PDF distiller of some released versions of the BlackBerry Attachment Service component of the BlackBerry Enterprise Server. These vulnerabilities could enable a malicious individual to send an email message containing a specially crafted PDF file, which when opened for viewing on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server, could cause memory corruption and possibly lead to a Denial of Service (DoS) condition or arbitrary code execution on the computer that hosts the BlackBerry Attachment Service component of that BlackBerry Enterprise Server.”

According to the Canadian handset maker, BlackBerry administrators that currently use BES 4.1 service pack 3 (v4.1.3) are advised to head over to RIM's website and perform an update of their software so as to solve this issue. At the same time, Research In Motion notes that BES 4.1.2 and earlier versions are not affected by the security flaw. Additional details on the new flaw, as well as the necessary updates, can be found on RIM's website here.

The Common Vulnerability Scoring System (CVSS) ranks the vulnerability both at 9.2 and 5.7, due to the fact that the threat is reduced in some cases via tools from Microsoft for the Windows BES software. The Canadian maker released earlier this week Service Pack 1 for BES 5.0, and it seems that those who already adopted the software solution should also head to the company's page to perform an update. At the same time, the company also announced that it discovered yet another issue with BES 5.0 SP1, one that “causes users' address book listings to disappear after the 5.0 SP1 upgrade,” yet hasn't delivered a fix for it.