Users of BlackBerry Enterprise Server (BES) should disable PDF file access until a new patch can be rolled out or face the risk of attack that could corrupt device memory and hijack corporate severs, Research in Motion says.
The security flaw means a hacker could attach a malicious PDF file to an e-mail and when opened on a BlackBerry handset, could launch an attack leading to memory corruptions. It could also be used to execute code on a computer running the BlackBerry Enterprise Server’s BlackBerry Attachment Service.
RIM has released a patch for both BES version 5.0 and 4.1.x that can be downloaded here. A security bulletin was sent out regarding the problem, but many companies may not have received the alert, says Graham Cluley, senior technology consultant at U.K.-based Sophos plc.
“The problem is people don’t often sign up for these types of security advisories,” he says. “The race is on to get ahead of the hackers who may be looking to take advantage of this, now that it’s been made public.”
System administrators who can’t immediately update with the new patch should block user devices from opening PDF files as a workaround in the meantime, according to the security bulletin.
“To do this, edit the list of file format extensions that the service opens and prevent the PDF attachment distiller from running,”the RIM advisory says. “Users must also remove the PDF files extension from the list of supported file format extensions … otherwise, the service will detect a PDF file with a renamed extension and attempt to process it automatically.”
A full, step-by-step guide to the workaround is included in the security bulletin.
Administrators shouldn’t rely on BlackBerry users to avoid the PDF files, Cluley says.
“It’s untenable to ask business users to not open PDFs,” he says. “It would be too disruptive to their work, particularly when PDFs are exchanged so commonly.”
The popular file format has faced its share of security challenges in recent months. RIM issued a patch for a similar problem in January. Adobe Acrobat and Adobe Reader, applications used to edit and view PDF documents, have also been prone to security vulnerabilities.
Adobe released a patch for both its Reader and Acrobat programs on March 10. The software was found to contain a “buffer overflow vulnerability in the handling of JIG2 streams,” according to the United States Computer Emergency Readiness Team.
The flaws could be used to crash the programs and gain control of an affected system, or launch a denial of service attack. There was evidence the vulnerabilities were exploited by hackers. These revelations have caused Adobe to rethink its security strategy, according to a blog post by Brad Arkin, director of product security and privacy at Adobe.
“What started out as a routine incident response expanded to a broader effort by Adobe Reader and Acrobat engineers, culminating in permanent changes to our software security approach for these products,” he says.
Adobe has been reviewing its legacy code and applying the same, more stringent procedures that have been successful in preventing vulnerabilities in new code.
The software vendor will also start issuing a planned security update to its software once every quarter. Those updates will come on the third Tuesday of every three months — following the Microsoft “patch Tuesday” model of updates.
“So once a quarter, along with your Microsoft patches, you’ll also have your Adobe patches,” Cluley says. “It will help system administrators keep on top of the updates and make it part of their routine.”
Adobe shipped out updates to 17 different versions of its software for Windows, Mac and UNIX on Tuesday, May 12 (coincidentally, Microsoft’s patch day). The company uses a Product Security Incident Response Team blog to communicate about such updates.
But Adobe won’t be patching problems that third-party software has with the PDF format, Cluley points out.
“Normally, most people are probably looking towards Adobe for the patches, but this is a patch from the BlackBerry guys,” he says, referring to the RIM security bulletin.
Adobe’s regular security updates will begin this summer, Arkin says.