Research In Motion Ltd. yesterday released an “interim security update” for BlackBerry Enterprise Server (BES) 5.0 Service Pack 2 (SP2) for Microsoft Exchange and IBM Lotus Domino due to a vulnerability that could have potentially allowed a hacker or other malicious person access to organizations’ BES infrastructure. That flaw could have also been used to execute Denial of Service (DoS) attacks, according to the BlackBerry-maker. And it affects not just the full version of BES, but the free BES Express, as well.
And the BES security flaw is currently ranked 7.6, or “high severity,” on a Common Vulnerability Scoring System (CVSS) scale of 0 to 10, with 10 representing the most critical flaws.
From RIM:
“The vulnerability could allow a malicious individual to cause buffer overflow errors, leading to a Denial of Service (DoS) condition or possibly arbitrary code execution on the computer that the BlackBerry Attachment Service runs on.
“Successful exploitation of this issue requires a malicious individual to persuade a BlackBerry smart phone user to open a specially crafted PDF file on a BlackBerry smart phone that is associated with a user account on a BlackBerry Enterprise Server. The PDF file may be attached to an email message, or the BlackBerry smart phone user may retrieve it from a web site using the Get Link menu item on the BlackBerry smart phone.”
The BES 5.0.2 flaw is related to the BlackBerry Attachment Service’s PDF distiller component, and it’s not the first time RIM has had to issues patches and security advisories due to problems with the PDF distiller. In fact, RIM issued at least three different PDF-distiller-related security updates since the summer of 2008.
RIM advises BES administrators to update their BES 5.0.2 software for Exchange and Lotus Domino immediately, but to do so with caution, since performing the update process wrong can lead to additional issues. Find specifics on the BES flaw and the associated update process at RIM’s BlackBerry Technical Solution Center.
And download the BES security patch for Exchange and Lotus Domino here.