The Register® — Biting the hand that feeds IT

Feeds

Malicious PDFs can commandeer BlackBerry Servers, RIM warns

Attackers can commandeer your BlackBerry servers by attaching maliciously formed PDF files to emails, Research in Motion warned Tuesday. The manufacturer of the smartphone advised users to install an update that patches multiple flaws in the BlackBerry's PDF distiller. The vulnerabilities are present on a variety of servers and …

This topic is closed for new posts.
andibaritchi
Alert

Can Commandeer Blackberry Enterprise Servers

Looking at the RIM advisory, it appears the vulnerability is the Blackberry Enterprise Server (BES) itself sitting inside the enterprise network. Thus the cautionary note about network segmentation at the end...

This is big.

Regards,

Andi Baritchi

CISSP-ISSMP, CISM, CISA, PCI-QSA

Gaius
Stop

not handhelds

Note that this issue affects BES not your handheld.

BristolBachelor
FAIL

What the fsck ??

To look at an on-screen representation of a piece of paper, you now need an over-bloated slow program with holes the size of the US budget defecit?

I vote to ditch PDF and replace it with "e-paper". The files will be small because they only contain enough to render what would've been on the paper. The program to render will be small because all it does is display the static content contained in the "e-paper" files.

Hell the files could even use a standard description language, like postscript...

It's freezing outside, I'll get me coat

David Cuthbert
WTF?

C'mon, El Reg...

"Blackberries running Microsoft Windows 2003 or 2008?" Really, now, you think a handheld can run a server OS out of Redmond? What's next, iPhones running SQL Server?

Go back and re-read the article. They're talking about the BlackBerry Enterprise Server, a bit of software kit installed on a corporate application server, not the handhelds themselves. It even states that device software is not affected!

Typing this, ironically, on my Crackberry...

JohnG

Blackberry Enterprise Server

"...Blackberries running Microsoft Windows versions 2003 or 2008"

Just to be clear, we are not talking about the Blackberry devices but BES (Blackberry Enterprise Server). A key role of the BES is to provide VPN termination for Blackberry devices via RIM's proprietary protocol (although RIM don't use the term "VPN"). RIM insist that the BES should be placed on the inside of a corporate network, rather than in a DMZ, making it and the Blackberries that connect through it interesting targets for hackers.

The Blackberry Router is a smokescreen as connections from RIM and Blackberry devices are terminated at the BES, not at the Router.

TrevorH
Thumb Down

Does not affect phones,only servers

A bit misleading, it doesn't commandeer your blackberry, it goes for the server not the phone.

Jens-Fabian Goetzmann
Stop

Commandeer blackberries - NOT

The tech report states that the BlackBerry smartphone software itself is NOT compromised. Only the BlackBerry Enterprise Software or "the computer that hosts the BlackBerry Attachment Service component of that BlackBerry Enterprise Server" can be compromised. Thus this is an admin-only problem, not as the article suggest one that could affect each BlackBerry user.

Anon
FAIL

Fact omission

Well, that surprised me, I didn't know BlackBerrys ran Windows Server 2008.

Anonymous Coward
Paris Hilton

It's Panto time!

"Patch available"...

Oh, no, it isn't!

If you follow the link to the download page for Blackberry Pro 4.1, the most recent update on there is 4, dated May '09. It's update 5 which fixes this, allegedly...

Anonymous Coward
FAIL

Fix for Bold ?

RIM,

try making your hopeless phones work in the first place, constant 3G SOS problems, lock-ups and general other weirdness. As soon as my contracts up it's over to android. Sorry for the off topic rant folks but these people make a 70s alfa romeo look reliable.

Jess
Reply Icon

3G SOS?

Is this a known issue? - I had just thought it was typical poor Orange coverage and switched the phone to 2G only.

Anonymous Coward
Anonymous Coward
Reply Icon

RE : 3G SOS

Yep, just Google it, don't bother with Bing as it can't find it's own arse using both hands and a torch

This topic is closed for new posts.