14 DAY TRIAL // Research In Motion (RIM) has released interim security updates for its BlackBerry Enterprise Server (BES), which address a critical remote code execution vulnerability in the PDF parsing component.
All currently supported versions of BES for Microsoft Exchange, IBM Lotus Domino and Novell GroupWise, as well as as the free BlackBerry Enterprise Server Express, are affected.
The security issue is described as buffer overflow weakness is in the PDF distiller component of the BlackBerry Attachment Service, which is responsible for processing PDF documents.
The vulnerabilty is identified as CVE-2010-2601 and has a base score of 7.6 on the Common Vulnerability Scoring System (CVSS) scale.
Successful exploitation can lead to a denial of service (DoS) condition and also allows attackers to compromises the system by executing arbitrary code.
"The vulnerability can be exploited to cause a memory corruption when a specially crafted PDF file is opened for viewing on a BlackBerry smartphone," explain vulnerability researchers from Secunia, who rate this flaw as highly critical.
Unlike full product installers, the BES interim security updates are delivered in .zip files, which apply only the required patches to the affected components. They can be downloaded by completing a form on the company's website.
For the server administrators, who don't want to apply the security updates immediately, the company offers a manual workaround. It involves preventing the Attachment Server from handling PDF documents.
First, the "pdf" must be removed from the list of allowed format extensions, but this doesn't stop the processing of PDF files intentionally created with different extensions.
In order to completely mitigate the risks, the Adobe PDF distiller must also be stopped from running. After this is done, the BlackBerry Dispatcher needs to be restarted for changes to take effect.
"As a mobile device best practice, RIM recommends that users exercise caution when receiving email messages from untrusted sources, and opening files at the direction of untrusted sources," the BlackBerry maker advises.