Jim Guckin

Blackberry has announced that there is a vulnerability on their Blackberry Enterprise Server product and have released a patch to fix the vulnerability.  RIM (the maker of the blackberry) has released the patch for what they are calling a high risk vulnerability and being that it is being classified as “high risk”, it is recommended you get the patch and update your systems as soon as you can.

The Vulnerability on the Blackberry Enterprise Server has scored a 10.0 on the CVSS (Common Vulnerability Scoring System).  This vulnerability exsists in some components that process PNG and TIFF images that the blackberry phone renders.

Someone looking to exploit this weakness only needs to point a user to a specially crafted webpage, and could use this vulnerability to run remote codes on the BES (Blackberry Enterprise Server).

Affected Software

• BlackBerry® Enterprise Server version 5.0.1 through 5.0.3 MR2 for Microsoft Exchange
• BlackBerry® Enterprise Server version 5.0.1 through 5.0.3 MR2 for IBM Lotus Domino
• BlackBerry® Enterprise Server version 4.1.7 and version 5.0.1 through 5.0.1 MR3 for Novell GroupWise
• BlackBerry® Enterprise Server Express version 5.0.1 through 5.0.3 for Microsoft Exchange
• BlackBerry® Enterprise Server Express version 5.0.2 and 5.0.3 for IBM Lotus Domino

Though the target of these attacks are users of the blackberry smartphones, there is no update for the phones because the vulnerability is on the server.  Smartphone users need not worry about this, only BES admins.

Links:

RIM Blackberry Enterprise Server Venerability Problem and Patch Info (KB27244)