July 17th, 2008
Unpatched code execution bug haunts BlackBerry
Security alerts aggregator Secunia has raised an alarm for a “highly critical” vulnerability that puts users of the BlackBerry Enterprise Server at risk of code execution attacks.
Technical details of bug are not available but Secunia says it is caused by an unspecified error in the BlackBerry Attachment Service when processing PDF files.
The vulnerability is reported in versions 4.1 Service Pack 3 (4.1.3) through 4.1 Service Pack 5 (4.1.5). Other versions may also be affected. It carries a CVSS Base Score of 9.0.
A separate advisory from Research in Motion (makers of the BlackBerry smart phone) says the flaw is in the PDF distiller of the BlackBerry Attachment Service and confirms that a malicious hacker could use a specially crafted PDF file attachment in an email message to cause arbitrary code to execute on the computer that the BlackBerry Attachment Service runs on.
If a BlackBerry smartphone user on a BlackBerry Enterprise Server opens and views the specially crafted PDF file attachment on the BlackBerry smartphone, the arbitrary code execution could compromise the computer.
The company says the issue has been escalated internally and urged BlackBerry users to be wary of PDF files that arrive from untrusted sources.
Pre-patch workarounds are available.
* Image source: Research in Motion.
Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.
For daily updates on Ryan's activities, follow him on Twitter.
Subscribe to Zero Day via Email alerts or RSS.
