Blackberry's email-on-the-go devices could be compromised by two new vulnerabilities in the Blackberry Enterprise Server, potentially allowing malicious attacks that would prevent users from opening email attachments.
Blackberry's developer, Research In Motion, said the first vulnerability allows an attacker to use a corrupt TIFF image file to cause an error that can disrupt users' ability to view attachments.
The second vulnerability is exploited by sending malformed protocol packets that cause a denial of service for all Blackberry Enterprise Server communication. The vulnerability normally applies only to internal users but can be exploited by an external attacker who is able to manipulate Domain Name System (DNS) queries, RIM said.
Both vulnerabilities were demonstrated at the Chaos Communication Conference in Berlin just after Christmas.
In a posting on its support website, RIM said it was aware of the vulnerability and will fix the problem in future software releases. In the meantime, the company suggested that administrators use a work-around that blocks TIFF attachments, and also advised companies to create static entries in their
DNS or hosts tables for the Blackberry Infrastructure to minimise the risk of DNS hijacking.
It may just appear this way, but with RIMÕs ongoing battle with NTP over patents, is security being neglected? I'm sure RIM would deny it, but its security announcements always seem to carry an "if we must" smell about them, which I'm sure goes down well with all those companies now wedded to their Blackberries.