BlackBerry warns of TIFF-based BES vulnerability

By Simon Sage on 19 Feb 2013 10:21 am EST
4
loading...
7
loading...
30
loading...

BlackBerry Security

BlackBerry has recently issued a warning that enterprise servers could be remotely accessed when they process images in a TIFF format. Attackers would need to craft a specific web page and get someone with sufficient privileges to click on a link to that page on their BlackBerry. Alternatively, they could send an e-mail or an instant message with this image, and they wouldn't even have to answer it in order for the exploit to work. Here's a snippet from the recently-released knowledge base article...

Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone. Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server. Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.

We've seen these kinds of security vulnerability warnings issued before, and generally when they're this high on the severity scale, they get taken care of pretty quickly. In fact, a software patch is already in place to fix this TIFF vulnerability - admins just have to update their servers to version 5.0.4 MR2 or download an interim release. 

So end users, so long as your IT dude is competent and keeping the BES software up to date, you really don't have anything to worry about.

20 comments

crwblyth

Funny typo: competant -> competent

rorykins

Competent as competent can be

Ronstermadness

SO IOS HAS A HUGE PASSWORD FLAW WERE YOU CAN GET INTO ANY LOCKED IPHONE EASLY AND ILL I SEE IN THE HEADLINES IS THIS WITCH THERE IS ALREADY A FIX FOR!

supraking

Apple doesn't claim to be the best around for security. BlackBerry does. It would be more like if iTunes stopped working with iPods all of a sudden. That would be in the news.

tfp

To me, this is actually a good thing. BlackBerry is being upfront with their security issues as opposed to Apple that denies there ever was an issue lol

Blackberry_Fiend

I almost feel the word "FIX AVAILABLE" should be before the title to this article.

40 more days till I lose my mind if the Z10 isn't made available on VZW.

imcurved

Agree. The title should somehow convey that a fix is available.

TMO_9000_32GB_PB

celestial blue

if we're going to ride him about his spelling, let's talk about "priviledges" as well.
No spell check at Crackberry.com? *le sigh*

ThaMunsta

AINTNOBODYGOTTIMEFORTHAT.jpg

bbfanboi

What about jpegs, bmps, pngs? Don't those also have you get the image off the remote web site? Why is this issue specific to TIFFs?

supraking

Why is this issue specific to TIFFs?

Because it's specific to TIFFs. Image formats are all different. Each is processed differently. Hence, a vulnerability can exist in one without existing in another.

blackmoe

TIFFs are huge files so therefore they have the ability to contain a preview image file. I imagine the preview file could be used as a malware payload instead of a preview image.

thatplaybookguy

yes, you can use Obfuscation to hide a program within a tiff, its how many psp exploits were found out in the last decade. heck I have a program that can do it and then another that can reveal what was hidden. Im an ex hacker.

thatplaybookguy

Do any of you honestly think there will NOT be a fix. come on this is Blackberry not android or iphoney. those guys dont have the same security infrastructure.

omniusovermind

Blackberry's top rating for security going once... going twice... SOLD to the man from Redmond!

dhahn#CB

So, when I open the readme and instructions for BlackBerry Enterprise Server Express Interim Security Update for February 12th 2013, I get another language (can't tell which). I did get the download. How to let Blackberry.com know? thanks,

dhahn#CB

Update- when opened in IE instead of Firefox, I get the proper page in English. Hmmmm.

MrHarmony

Doh - I thought this was related to the Toronto International Film Festival (TIFF).