You would think by now RIM would have this PDF distiller nightmare under control! Every few months for the last two years or so RIM has had to deal with another PDF distiller vulnerability. RIM is not alone since Adobe is known for creating highly vulnerable standards in Flash and PDF standards.
The latest vulnerability was spotted by Al over @CIO.com. It is a High Severity (CVSS score 7.6) vulnerability that opens the door to denial of service attacks and arbitrary code execution on the host server running the distiller. In short a user can open up a PDF file and really screw up your BES server and even lead to a security issue in your corporate environment. Sounds amazing right?
According to RIM the problem is:
The vulnerability could allow a malicious individual to cause buffer overflow errors, leading to a Denial of Service (DoS) condition or possibly arbitrary code execution on the computer that the BlackBerry Attachment Service runs on.
Successful exploitation of this issue requires a malicious individual to persuade a BlackBerry smartphone user to open a specially crafted PDF file on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server. The PDF file may be attached to an email message, or the BlackBerry smartphone user may retrieve it from a web site using the Get Link menu item on the BlackBerry smartphone.
You can read more about the issue and download the Interim Security Update 1 for your version of BES in this knowledge base article. Your other option instead of patching is to once again disable the PDF distiller. I am truly hoping that RIM finally squashes this PDF bug and finds a way to avoid remote code execution vulnerabilities in the future.
PS: Anybody want to guess how long it will take to have the first Flash vulnerability once RIM releases Adobe Flash for BlackBerry?