BlackBerry patches image exploit that targets servers

 

Gallery

By Dave Stevenson

Posted on 22 Feb 2013 at 10:03

BlackBerry has issued a patch for a flaw in its enterprise server system that used TIFF images to hide malicious code.

The image-based exploit affected BlackBerry Enterprise Server (BES), allowing hackers to access and execute code on servers used to support corporate users of BlackBerry smartphones.

The exploit used a TIFF image containing malicious code, and the dangerous image can either be linked to an email or attached directly to it.

"Vulnerabilities exist in components of the BlackBerry Enterprise Server that process TIFF images for rendering on the BlackBerry smartphone," BlackBerry said in the security update.

Since BES re-compresses images server-side before delivering them to users, the recipient of the threat doesn't necessarily need to either click the link or view the image for the exploit to go live.

"Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server," the company added. "Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network."

BlackBerry gave the flaw a "high severity" ranking, and advised users to apply the patch immediately, and if that's not possible, to use the supplied workaround. However, the company said it was "not aware of any attacks on or specifically targeting BlackBerry Enterprise Server customers".

BES products at risk include BES Express 5.0.4 and BES 5.0.4. Users of handsets that aren't supported by BES are not at risk, and BlackBerry says that in the event of a breach, handsets themselves won’t be affected.

You can read the full advisory here and BlackBerry security update here.