BlackBerry has issued a security advisory about a vulnerability that could allow malware on its BlackBerry Enterprise Servers (BES). The vulnerability has been rated "high severity" and has to do with how BES handles TIFF images on webpages, in emails, and in instant messages.
An attacker could make a tiff file and either send it via IM or email, or trick the user into visiting a webpage with the embedded tiff file. Apparently the user doesn't even have to click the tiff for the attack to be successful.
RIM has released BES version 5.0.4 MR2, which resolves the issue. All admins are encouraged to update BES asap.
Vulnerabilities exist in components of the BlackBerry Enterprise Server that process TIFF images for rendering on the BlackBerry smartphone. The BlackBerry® Mobile Data System – Connection Service component processes images on web pages that the BlackBerry® Browser requests. The BlackBerry® Messaging Agent component processes images in email messages. The BlackBerry® Collaboration Service processes images in instant messages sent between your organization's instant messaging server, its BlackBerry Enterprise Server, and devices that are using public APIs, a Research In Motion proprietary protocol, and protocols specified by supported integrated collaboration clients.
RIM is not aware of any attacks on or specifically targeting BlackBerry Enterprise Server customers, and recommends that affected customers update to the latest available software version to be fully protected from these vulnerabilities.
RIM is not aware of any attacks on or specifically targeting BlackBerry Enterprise Server customers, and recommends that affected customers update to the latest available software version to be fully protected from these vulnerabilities.
An attacker could make a tiff file and either send it via IM or email, or trick the user into visiting a webpage with the embedded tiff file. Apparently the user doesn't even have to click the tiff for the attack to be successful.
RIM has released BES version 5.0.4 MR2, which resolves the issue. All admins are encouraged to update BES asap.