-
Article | 46 min ago Leaked OS 10.1.0.2342 for the BlackBerry Z10 -
Article | 3 hours ago Leaked OS 10.1.0.2342 for the BlackBerry Q10 -
Article | 14 hours ago Deal of the Day: Save 42% on the Incipio OVRMLD Flexible Hard Case for BlackBerry Z10 -
Article | 5 hours ago BlackBerry Q1 2014 fiscal results to be announced on Friday, June 28th, 2013 -
Article | 5 hours ago Ten Important Observations from BlackBerry Live 2013 -
Article | 7 hours ago Have you checked out our BBM Channels forum yet?
Topics
-
- BlackBerry 10
- BlackBerry Z10
- BlackBerry Q10
- Editors' Choice Apps
- BB10 Apps
- BB10 Games
- Z10 Accessories
- The CrackBerry Forums
- Latest Forum Posts
- Popular this Week
- Contests - Win free stuff!
- CrackBerry Apps
- Join CrackBerry Today!
- Getting Started Guides
- BlackBerry 10 How-Tos
- PlayBook How-Tos
- BlackBerry OS How-Tos
- Product & App Reviews
- BlackBerry Support Forums
- Popular Destinations & Topics
- BlackBerry 10 Forums
- PlayBook Forums
- CrackBerry Unlocking
- Wallpaper Maker
- Download CB10 App
- Rumored Devices
- BlackBerry 7
- Latest OS Updates
- BlackBerry Messenger
- Sideloading Android Apps
- Instagram for BlackBerry
- Rogers
- AT&T
- Verizon
- Sprint
- BBRY News & Stock Talk
- Thorsten Heins
- QNX
Related Stories
-
Article | 3 months ago How to use Google two-step authentication on BlackBerry 10 - Article | 3 months ago BlackBerry users grin smugly as iOS update wreaks Exchange server havoc; opens passcode vulnerability
- Article | 3 months ago MobileIron announces support for BlackBerry 10 smartphones
- Article | 3 months ago More BlackBerry 10 webcasts, guides and ebooks now available to help get your enterprise on
- Article | 3 months ago BlackBerry introduces work spaces for iOS and Android
- Article | 4 months ago BlackBerry Enterprise Service 10 (BES 10) now available for download!
- Article | 4 months ago Lame Samsung commercial tries to make inroad to enterprise by riding on magical unicorns
Essential Reading
-
Article | 3 days ago BBM has a real shot at consolidating the global mobile messaging market - Article | 2 days ago Control your Tesla Model S via your Z10 or Q10 with the Model S for BlackBerry app!
- Topic | 1 day ago BlackBerry Formula 1
- Article | 1 day ago Calling the CrackBerry Community: We want to feature YOUR awesome photos in our articles!
- Article | 3 days ago Introducing CrackBerry's new Editors' Choice App Gallery!
- Article | 1 day ago Neil Gaiman's amazing A Calendar of Tales now available
- Article | 1 day ago BlackBerry Accessory Roundup - Enter to win a Z10 case of your choice!
- Article | 5 hours ago Ten Important Observations from BlackBerry Live 2013
BlackBerry warns of TIFF-based BES vulnerability
By Simon Sage on 19 Feb 2013 10:21 am
4
7
30
BlackBerry has recently issued a warning that enterprise servers could be remotely accessed when they process images in a TIFF format. Attackers would need to craft a specific web page and get someone with sufficient privileges to click on a link to that page on their BlackBerry. Alternatively, they could send an e-mail or an instant message with this image, and they wouldn't even have to answer it in order for the exploit to work. Here's a snippet from the recently-released knowledge base article...
Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone. Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server. Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.
We've seen these kinds of security vulnerability warnings issued before, and generally when they're this high on the severity scale, they get taken care of pretty quickly. In fact, a software patch is already in place to fix this TIFF vulnerability - admins just have to update their servers to version 5.0.4 MR2 or download an interim release.
So end users, so long as your IT dude is competent and keeping the BES software up to date, you really don't have anything to worry about.
crwblyth Feb 19, 2013 at 11:06 am
Funny typo: competant -> competent
rorykins Feb 19, 2013 at 11:10 am
Competent as competent can be
adrenaline_x Feb 19, 2013 at 11:10 am
Missed this one!
Ronstermadness Feb 19, 2013 at 11:30 am
SO IOS HAS A HUGE PASSWORD FLAW WERE YOU CAN GET INTO ANY LOCKED IPHONE EASLY AND ILL I SEE IN THE HEADLINES IS THIS WITCH THERE IS ALREADY A FIX FOR!
supraking Feb 19, 2013 at 11:34 am
Apple doesn't claim to be the best around for security. BlackBerry does. It would be more like if iTunes stopped working with iPods all of a sudden. That would be in the news.
tfp Feb 19, 2013 at 2:07 pm
To me, this is actually a good thing. BlackBerry is being upfront with their security issues as opposed to Apple that denies there ever was an issue lol
Blackberry_Fiend Feb 19, 2013 at 11:39 am
I almost feel the word "FIX AVAILABLE" should be before the title to this article.
40 more days till I lose my mind if the Z10 isn't made available on VZW.
imcurved Feb 19, 2013 at 2:53 pm
Agree. The title should somehow convey that a fix is available.
TMO_9000_32GB_PB
celestial blue Feb 19, 2013 at 11:43 am
if we're going to ride him about his spelling, let's talk about "priviledges" as well.
No spell check at Crackberry.com? *le sigh*
ThaMunsta Feb 19, 2013 at 11:48 am
AINTNOBODYGOTTIMEFORTHAT.jpg
bbfanboi Feb 19, 2013 at 12:28 pm
What about jpegs, bmps, pngs? Don't those also have you get the image off the remote web site? Why is this issue specific to TIFFs?
supraking Feb 19, 2013 at 12:45 pm
Why is this issue specific to TIFFs?
Because it's specific to TIFFs. Image formats are all different. Each is processed differently. Hence, a vulnerability can exist in one without existing in another.
blackmoe Feb 19, 2013 at 3:21 pm
TIFFs are huge files so therefore they have the ability to contain a preview image file. I imagine the preview file could be used as a malware payload instead of a preview image.
thatplaybookguy Feb 19, 2013 at 4:09 pm
yes, you can use Obfuscation to hide a program within a tiff, its how many psp exploits were found out in the last decade. heck I have a program that can do it and then another that can reveal what was hidden. Im an ex hacker.
thatplaybookguy Feb 19, 2013 at 4:05 pm
Do any of you honestly think there will NOT be a fix. come on this is Blackberry not android or iphoney. those guys dont have the same security infrastructure.
omniusovermind Feb 19, 2013 at 4:39 pm
Blackberry's top rating for security going once... going twice... SOLD to the man from Redmond!
BruvvaPete2 Feb 19, 2013 at 5:22 pm
um... huh??
dhahn#CB Feb 20, 2013 at 10:20 am
So, when I open the readme and instructions for BlackBerry Enterprise Server Express Interim Security Update for February 12th 2013, I get another language (can't tell which). I did get the download. How to let Blackberry.com know? thanks,
dhahn#CB Feb 20, 2013 at 10:23 am
Update- when opened in IE instead of Firefox, I get the proper page in English. Hmmmm.