Blackberry's email-on-the-go devices could be
compromised by two new vulnerabilities in the Blackberry Enterprise
Server, potentially allowing malicious attacks that would prevent
users from opening email attachments.
Blackberry's developer, Research In Motion, said the first
vulnerability allows an attacker to use a corrupt TIFF image file
to cause an error that can disrupt users' ability to view
attachments.
The second vulnerability is exploited by sending malformed
protocol packets that cause a denial of service for all Blackberry
Enterprise Server communication. The vulnerability normally applies
only to internal users but can be exploited by an external attacker
who is able to manipulate Domain Name System (DNS) queries, RIM
said.
Both vulnerabilities were demonstrated at the Chaos
Communication Conference in Berlin just after Christmas.
In a posting on its support website, RIM said it was aware of
the vulnerability and will fix the problem in future software
releases. In the meantime, the company suggested that
administrators use a work-around that blocks TIFF attachments, and
also advised companies to create static entries in their
DNS or hosts tables for the Blackberry Infrastructure to minimise
the risk of DNS hijacking.
It may just appear this way, but with RIMÕs ongoing battle with
NTP over patents, is security being neglected? I'm sure RIM would
deny it, but its security announcements always seem to carry an "if
we must" smell about them, which I'm sure goes down well with all
those companies now wedded to their Blackberries.