VP and Head of U.S. Public Sector Q&A

Jeffrey Ait shares why he joined BlackBerry

News & Rumors

New malware exploits USB, but isn't really that scary

Special Coverage

Hands-on with Secusmart voice encryption

News & Rumors

BlackBerry acquires mobile security company Secusmart

News & Rumors

Blackphone fires back: 'BlackBerry betrayed its customers and jettisoned its credibility'

News & Rumors

BlackBerry discusses Blackphone and why its consumer-grade privacy is inadequate for businesses

News & Rumors

UK government set to rush through emergency surveillance legislation

News & Rumors

UK officials follow US counterparts by banning electronics with no charge from boarding flights

BlackBerry Apps

BBM Protected demo caught on video

Editorial

Using strong passwords and keeping your online self secure

News & Rumors

First smartphone 'kill switch' bill in the US passed by… Minnesota

Editorial

Thoughts on BlackBerry opening BB10 to non-BES MDM

Enterprise

BlackBerry's President of Enterprise talks about why they're opening up on MDM

News & Rumors

BlackBerry kicks off security-focused Be Mobile Conference

News & Rumors

Bitly alerts users of widespread account compromises, claims no accounts have been accessed

Enterprise

BlackBerry earns two Govie Awards for outstanding security

Enterprise

BlackBerry preparing for BES 5.0 SP4 MR7 rollout

News & Rumors

EZ Pass migration tool now available for BES10

BlackBerry Media

Check out the #TechCIT chat on Twitter this Thursday

Enterprise

How BlackBerry is defending its enterprise stronghold

< >

BlackBerry warns of TIFF-based BES vulnerability

By Simon Sage on 19 Feb 2013 10:21 am EST
4
loading...
7
loading...
30
loading...

BlackBerry Security

BlackBerry has recently issued a warning that enterprise servers could be remotely accessed when they process images in a TIFF format. Attackers would need to craft a specific web page and get someone with sufficient privileges to click on a link to that page on their BlackBerry. Alternatively, they could send an e-mail or an instant message with this image, and they wouldn't even have to answer it in order for the exploit to work. Here's a snippet from the recently-released knowledge base article...

Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone. Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server. Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.

We've seen these kinds of security vulnerability warnings issued before, and generally when they're this high on the severity scale, they get taken care of pretty quickly. In fact, a software patch is already in place to fix this TIFF vulnerability - admins just have to update their servers to version 5.0.4 MR2 or download an interim release. 

So end users, so long as your IT dude is competent and keeping the BES software up to date, you really don't have anything to worry about.

Reader comments

BlackBerry warns of TIFF-based BES vulnerability

20 Comments
Sort by Rating

SO IOS HAS A HUGE PASSWORD FLAW WERE YOU CAN GET INTO ANY LOCKED IPHONE EASLY AND ILL I SEE IN THE HEADLINES IS THIS WITCH THERE IS ALREADY A FIX FOR!

Apple doesn't claim to be the best around for security. BlackBerry does. It would be more like if iTunes stopped working with iPods all of a sudden. That would be in the news.

To me, this is actually a good thing. BlackBerry is being upfront with their security issues as opposed to Apple that denies there ever was an issue lol

I almost feel the word "FIX AVAILABLE" should be before the title to this article.

40 more days till I lose my mind if the Z10 isn't made available on VZW.

if we're going to ride him about his spelling, let's talk about "priviledges" as well.
No spell check at Crackberry.com? *le sigh*

What about jpegs, bmps, pngs? Don't those also have you get the image off the remote web site? Why is this issue specific to TIFFs?

Why is this issue specific to TIFFs?

Because it's specific to TIFFs. Image formats are all different. Each is processed differently. Hence, a vulnerability can exist in one without existing in another.

TIFFs are huge files so therefore they have the ability to contain a preview image file. I imagine the preview file could be used as a malware payload instead of a preview image.

yes, you can use Obfuscation to hide a program within a tiff, its how many psp exploits were found out in the last decade. heck I have a program that can do it and then another that can reveal what was hidden. Im an ex hacker.

Do any of you honestly think there will NOT be a fix. come on this is Blackberry not android or iphoney. those guys dont have the same security infrastructure.

So, when I open the readme and instructions for BlackBerry Enterprise Server Express Interim Security Update for February 12th 2013, I get another language (can't tell which). I did get the download. How to let Blackberry.com know? thanks,