Blackberry has announced that vulnerabilities in its Blackberry Enterprise Server could possibly allow malicious code in image files to be executed remotely. For regular Blackberry users, this is not an issue, but for a Blackberry Enterprise Server administrator this vulnerability is a major issue.
The actual vulnerability in BES resulted from how the server processes image files. The flaw that been rated as “high severity” works in the following manner: A malicious person writes a special code and then embeds it in a TIFF image file. The person then convinces a Blackberry smart phone user (whose phone is connected to a corporate BES) to view the TIFF file. As soon as the image file loads on the phone, the code runs on the Blackberry Enterprise server and either opens up a back door in the network or causes the network to crash altogether as instructed in the basic code.
According to the advisory given by Blackberry “Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone. Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server. Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.”
The good news for system administrators is that Blackberry has announced solutions within its advisory message and has also published a workaround. If you’re a BES admin, it is recommended to update the BES software as soon as possible.