Blog: RIM patches another flaw in BlackBerry Enterprise Server

Research In Motion released an "interim security update" for BlackBerry Enterprise Server (BES) 5.0 Service Pack 2 (SP2) for Microsoft Exchange and IBM Lotus Domino due to a vulnerability that could have potentially allowed a hacker or other malicious person access to organizations' BES infrastructure. That flaw could have also been used to execute Denial of Service (DoS) attacks, according to the BlackBerry-maker.

It affects not just the full version of BES, but the free BES Express, as well.

The BES security flaw is ranked 7.6, or "high severity," on a Common Vulnerability Scoring System (CVSS) scale of 0 to 10, with 10 representing the most critical flaws.

From RIM on Tuesday:

"The vulnerability could allow a malicious individual to cause buffer overflow errors, leading to a Denial of Service (DoS) condition or possibly arbitrary code execution on the computer that the BlackBerry Attachment Service runs on.

"Successful exploitation of this issue requires a malicious individual to persuade a BlackBerry smartphone user to open a specially crafted PDF file on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server. The PDF file may be attached to an email message, or the BlackBerry smartphone user may retrieve it from a web site using the Get Link menu item on the BlackBerry smartphone."

The BES 5.0.2 flaw is related to the BlackBerry Attachment Service's PDF distiller component, and it's not the first time RIM has had to issues patches and security advisories due to problems with the PDF distiller. In fact, RIM issued at least three different PDF-distiller-related security updates since the summer of 2008. (Find information on those previous BES security flaws here, here and here.)

RIM advises BES administrators to update their BES 5.0.2 software for Exchange and Lotus Domino immediately, but to do so with caution, since performing the update process incorrectly can lead to additional issues. Find specifics on the BES flaw and the associated update process at RIM's BlackBerry Technical Solution Center.

And download the BES security patch for Exchange and Lotus Domino here.

Via @banthon

Al Sacco covers Mobile and Wireless for Follow Al on Twitter @ASacco. Follow everything from on Twitter @CIOonline. E-mail Al at

This story, "Blog: RIM patches another flaw in BlackBerry Enterprise Server" was originally published by CIO.

Copyright © 2010 IDG Communications, Inc.

Shop Tech Products at Amazon