Naked Security news:

Post date: Sep 5, 2012 8:12:03 AM

More BlackBerry image problems: RIM warns of BES security vulnerabilities

by Graham Cluley on August 11, 2011 | Be the first to comment

If it weren't enough finding themselves (rather unfairly in my point of view) in the firing line regarding how the BlackBerry Messaging service (BBM) was being used by British rioters, with calls for the service to be suspended, RIM now finds itself with a different kind of BlackBerry image problem.

RIM, the firm behind the popular BlackBerry smartphone, has issued a warning that a number of vulnerabilities have been found in its enterprise software (known as BlackBerry Enterprise Server, or BES).

According to RIM, if the vulnerabilities were exploited by remote hackers they could run malicious code on the BlackBerry Enterprise Server run by many firms.

Specificially, the problem is with the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent, and how they process PNG and TIFF images for rendering on the BlackBerry handheld devices.

In this particular case, the threat is that BlackBerry users could be tricked into clicking on a link or visit a boobytrapped webpage, taking them to a malformed image file.

It's important to underline that these are not vulnerabilities in the BlackBerry smartphones themselves. Like other BlackBerry-related vulnerabilities we've seen in the past, the potential attack is against the BlackBerry Enterprise Server used by businesses.

The risk is that by exploiting the flaw, hackers might be able to plant malicious code on your BlackBerry Enterprise Server that opens a backdoor for remote access.

Depending on how your network infrastructure is set up - intruders might be able to see into other parts of your network and steal information.

Alternatively, the hackers' code might cause your systems to crash - perhaps interrupting communications.

RIM has issued updates that resolve the vulnerabilities in versions of the BlackBerry Enterprise Server and the BlackBerry Enterprise Server Express. You can find out more on their website.