BES can be exploited with image file

Viruses, hackers and crackers
Post Reply
User avatar
Ron2K
Forum Technical Administrator
Posts: 9050
Joined: 04 Jul 2006, 16:45
Location: Upper Hutt, New Zealand
Contact:

BES can be exploited with image file

Post by Ron2K »

There are remotely and easily exploitable vulnerabilities in the BlackBerry Enterprise Server that could allow an attacker to gain access to the server by simply sending a malicious image file to a user's BlackBerry device.

The vulnerabilities are in several version of BES for Exchange, Lotus Domino and Novell GroupWise, and Research in Motion said that an attacker who is able to exploit one of the bugs might also be able to move from the compromised BES server to other parts of the network. The company has issued a patch for the BES flaws and says that they are at the top of the severity scale in terms of exploitability.

The vulnerability in both the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent is related to the way that the components handle PNG and TIFF image files. Exploiting the vulnerabilities can be as easy as sending a malicious PNG or TIFF file to a BlackBerry user. In some scenarios, the user wouldn't even need to open the email or click on a link in order to complete the attack.
Source

While it's worth noting that a patch for this vulnerability has already been issued, it's still a tad concerning.
Kia kaha, Kia māia, Kia manawanui.
User avatar
rustypup
Registered User
Posts: 8872
Joined: 13 Dec 2004, 02:00
Location: nullus pixius demonica
Contact:

Re: BES can be exploited with image file

Post by rustypup »

Ron2K wrote:it's still a tad concerning.
meh. the real story is "most users are suckers who will click on any damn thing regardless of who sent it to them" - which amounts to a romero-ism of silly proportions...

also, if your BES service account has anything above severely restricted access to other machines on your LAN, you have bigger fish to fry... :/
Most people would sooner die than think; in fact, they do so - Bertrand Russel
Post Reply