RIM fixes critical BlackBerry Enterprise Server bug

Research in Motion patched a critical bug in its BES (BlackBerry Enterprise Server) Friday to stymie hackers hoping to break into company networks by tricking users of the popular smartphone into opening rigged PDFs.

The fix, which was delivered in several separate updates to BES, addressed a security vulnerability in the PDF distiller component of the BlackBerry Attachment Service, which runs on the BES. RIM first disclosed the flaw last week, but the bug gained attention Wednesday when the U.S. Computer Emergency Readiness Team (US-CERT), part of the Department of Homeland Security, posted an alert.

[ Learn how to secure your systems with Roger Grimes' Security Adviser blog and newsletter, both from InfoWorld. ]

Attackers could exploit the vulnerability by getting BlackBerry users to open malicious PDF files attached to e-mail messages. Successful exploits would compromise servers running BES, not individual BlackBerry devices, RIM said in security advisories first published July 10.

A RIM spokeswoman said Friday that the company had received no reports of attacks and that updates were now available for BES.

Enterprise administrators can update to BES version 4.1 Service Pack 6 (4.1.6) for Microsoft Exchange and IBM Lotus Domino, RIM said in a revised advisory. An update to BES for Novell GroupWise pegged as 4.1.4 also patches the problem.

Administrators running editions of BES older then versions 4.1.6, or 4.1.4 for GroupWise, can instead apply one of several interim security updates posted on RIM's download site.

Previously, RIM had updated the BlackBerry Unite software that users run on their smartphones to patch the problem on the client side.