TIFF images are a vulnerability to BlackBerry Enterprise Servers

BlackBerry Enterprise Server TIFF vulnerability

If you are a BlackBerry Enterprise Network user, here is something you need to be careful about. The Canadian smart phone manufacturer says that it has a vulnerability in its product which could do terrible things. According to the company, the problem is the way the server handles image files. A person could put a malicious code into an image file and run that on the Enterprise Sever. This code can then do the work as instructed to it. It can either help the programmer in getting into the server, or break down the server.

The issue has been rated as “high severity” and it works as follows: “A malicious person writes a special code and then embeds it in a TIFF image file. The person then convinces a Blackberry smart phone user (whose phone is connected to a corporate BES) to view the TIFF file. As soon as the image file loads on the phone, the code runs on the Blackberry Enterprise server and either opens up a back door into the network or causes the network to crash altogether as instructed in the basic code.”

According to the advisory given by Blackberry “Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone. Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server. Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.”

The Canadian company has not stopped here right now. It says that it has already published a work around for this. And if you are a BlackBerry Enterprise Server administrator, it is highly recommended that you update the software on your server as soon as possible.

Source: Ubergizmo