14 DAY TRIAL // Research in Motion (RIM) is reported to have issued a patch that is meant to fix multiple vulnerabilities discovered in the way the BlackBerry Attachment Service would handle Adobe Acrobat PDF files.
The company released a security advisory, according to which, when an email message that would have a PDF file attached to it was received and then opened by a BlackBerry mobile user, a certain code could have been launched on the computer hosting the BlackBerry Attachment Service. According to the maker, the detected vulnerabilities each have a Common Vulnerability Scoring System (CVSS) score of 9.3.
For the time being, RIM announced users to remove PDF files from the list of allowed extensions so as to be able to protect themselves from the possibility of attack until the patch is rolled out. On the other hand, it is unlikely that companies that widely use and share PDFs in business could find this stop-gap measure acceptable for a long time.
RIM also advises on the possibility that the PDF file could be sent with another extension, but that the BlackBerry Attachment Service would still try to process the file automatically, and states that the best way of avoiding such a situation would be to prevent the PDF attachment distiller from running on the BlackBerry Attachment Service.
The maker announced that it has issued a software update that resolves this vulnerability for the BlackBerry Enterprise Server and BlackBerry Professional Software. Users are advised to download and install the company's Interim Security Update 2 for the software version they are running. The affected environments are stated to be BlackBerry Enterprise Server software version 4.1 Service Pack 3 (4.1.3) through 4.1 Service Pack 6 (4.1.6) and BlackBerry Professional Software 4.1 Service Pack 4 (4.1.4).
So far, there haven't been any reports of this vulnerability being actively exploited by hackers, and things will stay that way, hopefully. More information on the vulnerability and RIM's solution can be found here.