PDF vulnerability found in BlackBerry Attachment Service

Research In Motion issues a fix for a flaw in the way documents are attached

Research In Motion has issued a security alert acknowledging a vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server.

The vulnerability is rated 9.3 (out of 10) on the Common Vulnerability Scoring System (CVSS). That is considered “high” in the National Vulnerability Database severity ratings. The advisory is intended for BlackBerry Enterprise Server (BES) administrators, who are the recommended persons to apply the RIM-supplied fix. The vulnerability affects BES Exchange, IMB Lotus Domino and Novell GroupWise versions 4.1.6, 4.1.7, 5.0.0 and 5.0.1. BES Exchange and IMB Lotus Domino versions 5.0.2 and the Exchange-only 5.0.2 are also affected.

BlackBerry Device Software, Desktop Software and Internet Service products are not affected nor are BlackBerry smart phones.

RIM suggests for best practice “that users exercise caution when receiving e-mail messages from untrusted sources, and opening files at the direction of untrusted sources.”

Related coverage:

New BlackBerry OS gets FIPS 140-2 cryptography certification

Here is the description of the problem, according to RIM alert:

"The vulnerability could allow a malicious individual to cause buffer overflow errors, which may result in arbitrary code execution on the computer that hosts the BlackBerry Attachment Service. While code execution is possible, an attack is more likely to result in the PDF rendering process terminating before it completes. In the event of such an unexpected process termination, the PDF rendering process will restart automatically but will not resume processing the same PDF file."

"Successful exploitation of this vulnerability requires a malicious individual to persuade a BlackBerry smartphone user to open a specially crafted PDF file on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server. The PDF file may be attached to an e-mail message or the BlackBerry smartphone user may retrieve it from a website using the BlackBerry Browser."

About the Author

Dan Rowinski is a staff reporter covering communications technologies.


  • Russia prying into state, local networks

    A Russian state-sponsored advanced persistent threat actor targeting state, local, territorial and tribal government networks exfiltrated data from at least two victims.

  • Marines on patrol (US Marines)

    Using AVs to tell friend from foe

    The Defense Advanced Research Projects Agency is looking for ways autonomous vehicles can make it easier for commanders to detect and track threats among civilians in complex urban environments without escalating tensions.

Stay Connected