I got an email about this vulnerability and thought I would mention it. Now we know why Unite was quietly upgraded to 1.0.1 bundle 36+ recently. RIM was nice enough to report the vulnerability details.
Turns out that there is a vulnerability in the Unite and BES PDF distiller in the BlackBerry attachment service that converts PDF files for viewing on your BlackBerry. If you open the wrong kind of PDF it can execute code on your system which is very bad. This vulnerability gets a Common Vulnerability Scoring System (CVSS) score of 9.0 which is pretty serious.
Right now Unite has a fix by autoupdating but BES users are out of luck. BES admins are encouraged to disable the PDF functionality following the instructions linked to below.
Systems effected:
- BES 4.1 service pack 3 (4.1.3) through service pack 5 (4.1.5)
- Currently RIM is stating: This issue has been escalated internally to our development team. No resolution time frame is currently available.
- BlackBerry Unite 1.0.1 bundle 35 and earlier
You can read more about it on RIM’s website at these links:
- BES – Vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server
- Unite – Vulnerability in the PDF distiller of the BlackBerry Attachment Service for BlackBerry Unite
Thanks to Josep for pointing out the knowledgebase articles!
Ronen Halevy ( View Profile) - Posts: