BlackBerry Enterprise Server (BES) suffers from multiple vulnerabilities in its attachment service, RIM said in a security advisory earlier this week. The memory corruption flaws in BlackBerry Attachment Service could allow an attacker to send a malformed PDF to a smartphone. If the document is opened, it could crash the service or give the hacker unfettered access to a computer hosting the service, the company said. BlackBerry Attachment Service is a component of BES.
The security holes affect PDF distillers in BES version 5.0.0 for Windows Server 2008, 2003, and 2000. The flaws on systems running BES 5.0.0 for Windows Server 2000 are more serious, said the handset maker, as Windows Server 2008 and 2003 have default security settings that mitigate the severity of the flaws.
Vulnerabilities are also present in BES versions 4.1.3 to 4.1.7, and Blackberry Professional Software 4.1.4.
RIM recommended that administrators upgrade to unaffected versions of BES--for example, for BES 5.0 for Exchange and Domino, they should move to 5.0.1. Alternatively, IT managers can apply interim security updates, according to the advisory. A workaround is to disable BAS.