BlackBerry-maker Research In Motion (RIM) yesterday issued two separate security advisories warning both BlackBerry smartphone users and corporate BlackBerry Enterprise Server (BES) administrators of newly discovered security flaws in many versions of RIM's BlackBerry handheld software and in BES.
The first advisory applies to BlackBerry smartphone users, and it warns of what RIM is calling a "partial denial-of-service (DoS)" attack, in which websites with hidden malicious code could freeze users' BlackBerry Browsers and render them unable to surf the Web until the browser either restarts itself or the device is rebooted.
[ Learn how to manage iPhones, Androids, BlackBerrys, and other smartphones in InfoWorld's 20-page Mobile Management Deep Dive PDF special report. | Keep up on key mobile developments and insights with the Mobile Edge blog and Mobilize newsletter. ]
From RIM: "This advisory relates to a BlackBerry device software vulnerability that could allow an attacker to maliciously craft a Web page such that, when the BlackBerry device user views the page on a device running the affected BlackBerry device software, the browser application becomes unresponsive. ... Successful exploitation of this issue relies on the user viewing the maliciously crafted Web page on a device running the affected BlackBerry device software."
The flaw ranks as "medium" severity on the Common Vulnerability Scoring System (CVSS), and RIM says it has issued updated BlackBerry handheld software to solve the problem. The vulnerability doesn't exactly require an urgent fix because the worse that will happen is an affected user's browser might freeze. But RIM says BlackBerry users running handheld software versions 5.0.0 to 6.0.0 should check their wireless carrier's websites or BlackBerry.com for software updates. BlackBerry handheld software prior to v5.0.0 is not supported and software newer than v6.0.0 is not affected, according to RIM.
(Note: Even if RIM has pushed software updates to wireless carriers to address the issue, it often takes those carriers time to examine and approve the software. If no update is currently available for your device, and you find your browser freezing, RIM suggests simply waiting until the problem resolves itself or resetting your BlackBerry by removing its battery.)
The last major BlackBerry-Browser-related security flaw identified by RIM was in September of 2009.
The second BlackBerry security advisory released yesterday relates to yet another flaw in the PDF Distiller component of RIM's BlackBerry Enterprise Server. Issues with the troublesome BES PDF distiller have been identified as "severe" risks in at least five different RIM security advisories since the summer of 2008. (Read about the last PDF-Distiller-related security advisory, issued just last month.)