BlackBerry patches image exploit that targets servers
By Dave Stevenson
Posted on 22 Feb 2013 at 10:03
BlackBerry has issued a patch for a flaw in its enterprise server system that used TIFF images to hide malicious code.
The image-based exploit affected BlackBerry Enterprise Server (BES), allowing hackers to access and execute code on servers used to support corporate users of BlackBerry smartphones.
The exploit used a TIFF image containing malicious code, and the dangerous image can either be linked to an email or attached directly to it.
"Vulnerabilities exist in components of the BlackBerry Enterprise Server that process TIFF images for rendering on the BlackBerry smartphone," BlackBerry said in the security update.
BlackBerry Z10: the verdict
Since BES re-compresses images server-side before delivering them to users, the recipient of the threat doesn't necessarily need to either click the link or view the image for the exploit to go live.
"Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server," the company added. "Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network."
BlackBerry gave the flaw a "high severity" ranking, and advised users to apply the patch immediately, and if that's not possible, to use the supplied workaround. However, the company said it was "not aware of any attacks on or specifically targeting BlackBerry Enterprise Server customers".
BES products at risk include BES Express 5.0.4 and BES 5.0.4. Users of handsets that aren't supported by BES are not at risk, and BlackBerry says that in the event of a breach, handsets themselves won’t be affected.
- Hands on with the new Google Maps
- Nokia Lumia 925 review: first look
- Why I won't subscribe to Creative Cloud
- GoPro camera strapped to a remote-control helicopter: the ultimate boy's toy
- Acer Iconia A1 review: first look
- Acer Aspire P3 review: first look
- Acer Aspire R7 review: first look
- How we produce the PC Pro podcast
- Google Now draining iPhone battery
- The government website that doesn't work with IE, Chrome, Firefox, Safari, Macs or smartphones
- Yes, I write down my passwords
- How to deal with a ransomware attack
- How secure is your Wi-Fi network?
- How QR codes caught out the security pros
- Why I do not trust Do Not Track... yet
- The hard disks you can "secure" with a single-digit password
- Why I've started using a password manager
- Time to kill off CAPTCHA
- Are today's young people Generation I (for insecure)?
- Ransomware that's better made than antivirus software