BerryReview.com - BlackBerry News and Reviews
Forgot? | Register
Shop The BerryReview Store

Serious Vulnerability in All Versions of Desktop Manager Before v5.0.1 – Workaround Available

by the BerryReview Team on Nov 4th, 2009 at 1:28 pm EST
2 Comments »
 

denial This is kind of shocking. Earlier this week Tom let us know that RIM had pushed an update to his Desktop Manager. Now David let us know that RIM has published a security advisory that there is a vulnerability in all versions of Desktop Manager before version 5.0.1 that allows attackers to remotely execute code on your machine. The vulnerability seems to stem from the Lotus Notes Intellisync capability but is vulnerable even if Desktop Manager is not running!

RIM is recommending you either upgrade to Desktop Manager 5.0.1 or unregister the Lotus Notes DLL running the BlackBerry Desktop Manager, by going to StartMenu->Run and entering the command: regsvr32 /u "C:\Program Files\Research In Motion\BlackBerry\IS71 Connectors\Lotus Notes5.0\lnresobject.dll"

From RIM’s advisory:

This advisory relates to a vulnerability in a Lotus Notes Intellisync DLL that the BlackBerry Desktop Manager may use. This vulnerability may allow a malicious user to perform an attack that leverages social engineering to achieve remote code execution on the computer running the BlackBerry Desktop Manager. If the legitimate (logged in) user clicks a link to a malicious web site (for example, in an email message, in a browser, or an instant message) on the computer that is running the BlackBerry Desktop Manager, a vulnerability in an Intellisync component could allow the malicious user who sent the link or created the malicious web site to execute code on the computer using the privileges of the legitimate user.

Note: The affected Lotus Notes Intellisync DLL is included by default in all BlackBerry Desktop Manager installations. This vulnerability exists whether or not the DLL is used after installation. Issue Severity: This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.3. Issue Status: Vulnerability confirmed. For more information, see the Resolution section.

via CIO.com

Please Share With A Friend!

This entry was posted on Wednesday, November 4th, 2009 and is filed under News.
Tags: , ,

If you enjoyed this article, make sure you subscribe to our RSS Feed to stay on top of the latest BlackBerry news you can use.

Previous Post: Giveaway Winners: Labyrinth Classic Marble Game for Storm/Storm2 »
Next Post: Hedone Design’s New ‘VistaLike’ Theme »

Latest Articles:

2 Comments to “Serious Vulnerability in All Versions of Desktop Manager Before v5.0.1 – Workaround Available

  1. Posted by: Tom
    November 4, 2009 at 1:45 pm EST

    Given the CVSS score, this is serious! FYI, there was the DM 5.0.1 download on RIM’s website, followed by an auto update (changed the AppLoader version, but not the DM itself) — the version number still shows as 5.0.1 after installing BOTH updates.

    Reply
  2. Posted by: DavidB
    November 4, 2009 at 2:38 pm EST

    I guess the question becomes is this something “new” that wasn’t included in the “Service Pack 1″ that was posted about here last Monday (the 26th)??? That was supposedly “Bundle 30″ and it appears that “Bundle 30″ is what’s still on the blackberry.com web site (in it’s 4 flavors).

    Reply

Subscribe without commenting

Leave a Reply

Save yourself some time by quickly logging in or registering

Note: Any comments are permitted only because the site owner is letting you post, and any comments will be removed for any reason at the absolute discretion of the site owner. FYI: Links will automatically be hyperlinked so there is no need to use HTML