BlackBerry Enterprise Server administrators need to take action immediately to fix a vulnerability that affects the way .TIFF image files are rendered on BlackBerry phones. In one version of the attack, users don’t even need to open an affected email to leave them vulnerable.
BlackBerry has issued an interim patch, as well as BlackBerry Enterprise Server version 5.0.4 MR2, which apparently fixes the vulnerability.
From a user standpoint, BlackBerry and Windows Phone are fighting over an increasingly small percentage of the market, thanks to the combined dominance of Apple’s iOS and Google Android. BlackBerry CEO Thorsten Heins has reportedly considered the possibility of selling off the BlackBerry hardware business. If Blackberry 10 fails to gain traction in the marketplace, the company will likely face some hard options.
The vulnerability could prove another headache for BlackBerry administrators, as malicious actors could use it to gain remote access to—and run code on—the BES. BlackBerry rated the vulnerability a 10.0, the most severe level, although it claimed it hadn’t discovered any attacks in the wild.
Three services are vulnerable, BlackBerry said, including the BlackBerry Mobile Data System—Connection Service, which processes images on Web pages requested by the BlackBerry Browser; the BlackBerry Messaging Agent, which processes images in email messages; and the BlackBerry Collaboration Service, which processes images in instant messages sent between an organization’s instant messaging server, its BES, and other devices.
To exploit the vulnerabilities in how the BlackBerry MDS Connection Service processes .TIFF images, an attacker would need to create a specially crafted Web page, before persuading the BlackBerry smartphone user to click a link to that web page. The attacker could provide the link to the user via an email or instant message.
Hiding malicious code inside image files isn’t new: way back in ye olden days of 2004, malware hidden inside JPEG files plagued Windows machines. Some administrators are doubtlessly wondering why, after all this time, this sort of vulnerability hasn’t been decisively eliminated from the online world.