Network Security & Hardware - eWeek


Is the Smart Grid a Dumb Idea?
Surgical Adhesive Offers Smarter Way to Mend Bones
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Denial-of-Service Bug Bites BlackBerry



 By: Ryan Naraine
2006-01-04
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Research in Motion downplays the risk, but there are public claims that code execution attacks may be possible.

An unpatched security vulnerability in Research in Motion Ltd.s BlackBerry Enterprise Server could put millions of business users at risk of denial-of-service attacks, the company acknowledged Tuesday.

In an advisory, RIM warned that a corrupt TIFF (Tagged Image File Format) attachment could be used in an attack that would stop a user from being able to view attachments.

The bug was first flagged by a researcher known as "FX" during a presentation at the 22nd Chaos Communication Congress, where multiple RIM BlackBerry products came under the security microscope.

Resource Library:

Even as RIM downplayed the risk as a denial-of-service condition, the U.S.-CERT (Computer Emergency Readiness Team) said the vulnerabilities discussed by "FX" could allow an attacker to execute arbitrary code on the BlackBerry Attachment Service.

"To exploit these vulnerabilities, an attacker would need to supply a crafted file that is viewed or downloaded by a BlackBerry Handheld; or the attacker would need to redirect a network connection directed to the BlackBerry Infrastructure," US-CERT said in a separate alert.

Does the patent dispute between RIM and NTP go too far? Click here to read more.

"[We recommend] that BlackBerry sites upgrade BlackBerry Enterprise Server to the latest version," US-CERT said.

In all, US-CERT lists three different BlackBerry vulnerabilities, including the TIFF image bug that RIM fessed up to. That flaw affects the BlackBerry Enterprise Server 4.0 and later versions running on IBM Lotus Domino, Microsoft Exchange and Novell GroupWise.

RIM insists there is no impact on any other BlackBerry services, such as making phone calls, sending and receiving mail, or browsing the Web, and promised a patch would be made available.

"This is a previously reported issue that has been escalated internally to our development team. No resolution time frame is currently available," the Toronto-based RIM added.

As a temporary workaround, BlackBerry Enterprise Server administrators can selectively exclude TIFF images from being processed by the Attachment Service or disable the Attachment Service completely.

The BlackBerry Enterprise Server is key to RIMs push into the enterprise handheld device market. It is used by IT departments to connect Microsoft Exchange or Lotus Notes/Domino servers to a wireless carrier to allow for corporate e-mail delivery.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Denial-of-Service Bug Bites BlackBerry
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Ryan Naraine
 


x}r۸j9km]mGJɶkŶ,%^I*EBER̜ 7]hɗg$e["Fh4z$SW7-gL\sfS=uA@ X6&w>[ '(+o1mnf]( _h7GlJ~x'AT1RM Ɠ5Y1 |-[S}Lq~ql .hvLIl/GtuCަ%H=xwu)t=(DHږO6EGJߣ*C7 ݩx8/DeOXHYɼMcAy45A[h o =k|Ekw0Ni@Sա*"U{Q5hw/E /B1r!f-{4L*- DFL$؁y$f=Qw^A]õ]ZΑR͌e:o tG ob=uק&Y! .$g >N֟GBԿBKk8Q+vW<m~*UUew9(GA \m+h[Iw^׵ Cq9}r>=}'WrHǂ|Nw&LT*jZ*OL0h!5& :_B^ ,98CFI?n;n-4EJ K}Hs = (2,"t#>//.;6O.;cd̲6<ZMӀ Zvd!?X 㣫kQGs!+|qg>!5M0\̱¬:֪׷V]W`MK'^C&7@"rVJzeWR ~:\$.>vIAҡ,ȿNg;Be}^ З?ReQ So,nHˤdxL2Tch^ԩS е7'h,ABm&T7oh2 4 .ϬFh-Aho*K>Lr &@Sk~$GM ]5ņ])!exFS;mZ—W/(AK/5ڊ5|*(if)=^f&/\RD1p 3dTW9/x_L.΃fmќ-Ӆ]WcNL^㞖\z댛Ve..~:kzmxDnDvZM( 8Ź:o:jnb:|52+r%(NLf[ԑplPòǔIGzݽAAӧEz|JMk6m uI=DC#mxq-Z.+ԍEXn`NtcI 4o Qx٭lE%_¤< ) FA=H:}mP`~`c e+f!S uC έ_drcoMàF+:z?`!0.Zm;Ae^~>aCxwݐ,PVr`{)nвc@|j JGi0xz dSJJd$D!-i]R@Az< -,rrpl++~'nvGBj+6ODs@PGҩ;vjrW)̄rZ z)2ٜʬ$3Mf힟 X*ȉ#o"0%X -'Z X+5ڲ fkniڛ,Â%=Һ8,$-X#LCF0pqIVB!7O)wj@aix*2#wTw4?Ռ{`ILE:a9?%ہnP?ĝR;BZsOsR#~r--%ւeRu%z_No6ʎy0sm-VJ;g@xC l /;WKc:* _hihH*E6@p.-yO㐘 0Zm7@=ppZ#nP jrIj)K`W4E%sXf&`\ &P 7S~8!k^̆ǰVu<]|>#=or5C6!8y<2M 'BSjj33-F  o _׆K ȁUzqSҝataa;n/ yKJ_(Ǘ6i+B۽Ӝh2F ÑeHW{W+HLZ`!?ՊRRՄiҏ5 &^PGe d^ `M`R#׶| :lF֝{<}ZjY,>9WR>5 < đOT׃RUaT(j]xTwVF0\n}єa˘;|qWm*IrIQ)kMf9oLq3ۈhȈ0Aq_xHEAxZ+hpT@U.)L-9Iz 5[ hg [QznS kTR'8AÒ?DFQcG}ܴ>?CU^ٯVRw-"ZTjSCj_Vkov L3ǔ)V3G  N翢7_Sc`9g;W^`3\x 'שUXT8ᄱe1_0+fW S#cqWTҔwDF(/9 ΔsTNjZ|jVQݟ/YQ7SןfCa "#+0fjWj }hݤS*'Ș-qVCY-w7亢#ÏnR 7UtT#v vk(0ff{Dk P{N-~¿rZkBZ'@ upϭ(D apሙ@FCS؇`m/RۭTžu"X썿9 CbQD i^[p JG;pLj' %J+fx+sJbOW2EHypkC铨<3is{,s/&-,cw&R ԴT.[A^ (;3kJ6N1L M(G\մJY`&c1 s*? .|l3pڳ.22OwO}}Rc7o"Z$t-n\<_ȫ"wSԳлMklsGq3`S"豦mBxuW+'&lEv6Xjl<;"c3ۍ~Dc8ߊIUfvS΁MOT%0=@" #f.@C׳@g.7^u( ς24A̘5YVZFW}X`"-\XbbקGe7UEPV Yo =$Ԅ7wLaV*7A!RēC$>ġifR12fV*UYŕ?hxqLLl]|ﴺv?5@ E D@D;n?% ?S-l8-F:~J]W)il{ޗ[g/{xDŽst'_t{~{GDyIn독%<4UG*V-?\v?Iև6? F&[fB, 8oI 9ӸWsQ=)#钿z=;mF+";rgYC\|}=^xsޖX' ƃ w"iKrBë[E|}@԰{67g3K:g6n_"9=&@v\d(Ӑ` qN@P)V^ Ť볎֢Ѭ]}+ ɏhq{81 ͥ`L̴M\g whVPD(Vp9c㻞Pa*/q)yiۗuja~%XD2oAnth}k7yEO>47X]{gE V7gN{mc20t[plؖne{ѧ}yTq +:i)`* 94XhHn X"2NI:Ja+>8zd ,F}d3D?yaВ11>on\S;-4zP%( >Y6]awPݞ{͞6YiEemK\ -"PnZ|;}y-߳,Gvϼ whRѪOI߷StDxo!lY X%˶B:4~8#_i],t?N`C෤;t }":)T՚+Ĝ㇓H64x=Her9s ?}bu'pu u&*e'$* Ya:iofc w'Ǡ~[熈T+o)y b/T¬%RyBfrpjvFS*~t;)7{8nM`,Ϙ.j^a'0eu@$OUo7ߠ*VߦpxO8l|9>|K}QPG`K'$er]Us fwH_atRh1з3@|p9$Lm$qt>]rX%Xr Q3::8iOGO I /$O_T^I]Dj9Z% $`HR+`TTa0' D׫~m:`ں Sy6ɱ}DNO0;R.XN42v.yG3zNjٶTV*Zd,rmbc$nRSDڶ hč2{ 9|F`JRP}4MTT ݅ =^=?9VpM"hr nI=טhc7=I8H"8*%@f OD(ܤFV Z%j?J-Dg&yVM\CrDu;*%m(!DFp$HW;?0M6Cs76W75õ3r;;.D9%/(*xSJz3 6gg`߆71)$|I5W5QCMӖ%j6M}֜YlH؍V6kӲdu_?wWiBB $o.S6-0c%u# Z1u[Sx݃VR]ٽ4հ]&O%q;DBPx˯ }n6_4(LcYѽ &eLR_Z\Ga TC$iRL\D]"H3[_Y"{ߝ\0Z4RP@ke,m`T&}ܨpG#Ii`>~M찻m;!am@a ``KItk>5ٵ:\1p5"|"\+0zUf(ɫy:\֚^}Q)VxĀSIv+0!PXJ>5):1Q8ޚhL L#vZ}w}5lH% aMkᡗc5ܚlvq-AWay/uLKUmZD<'WH*Ρ#WH;ywOwOwOwO+DkD/[ew7u3]?.\Ѓ "MXmWOH̴?хs<;ϿoӗG-eznؽ ԙzJp&o=XQ:a08Ӡ4m Dp-Z=Aی)'lF/|kd5ƮW_׳#Rof}g'O B 0aDz9W/Dx ^%2šE.K#BWYL8g77l,@\rSyu?D1^ ^{@cln܍xAlb܌^=P? (XU.F[ѥځro9듃yc1D0pIE!UaAHz윬UW:=QNaN ͭ~UyK\\9oE@<gSwj;Ra,_g^~np˹m zm)&.>(!L=u89-O,&|euo qV_;6۬7ot`vjce1㵙Vxi3`W[:</5o}`YmZسO ],6c5H n9n63^Mp0W/%,DC2CbE4t86?FSXL)2Jf68Jj` n*@->t5ol6Sj ΍ko(j3*$ /= ^ZxᩙqKr׃qȼ y-۞Nړَ!N;X т,#ЋǧNdS.+S]!^k\7T60P-[G?eG( x9-57=ƃ=gƖYH!`-1_t5^TPAgXt<}"&!#Mх.` n0Dy u:M_SwC~RJ~q+dEμKOaR--:'v v2y(" <7ܹ%KVqG8A$ה{ē[1qKD>ݪbD3ʉmO{xWM3B/Xx;$e _Mu,ΉaDGȡTg*׶/V|g_F`0m+`A#샒=%x%k?n!,q,Dwo$-{?Ñ:/;AXx- dŌUDNE07vEa7`8(ĒI 'h#8l1{QШ>gFSYh9v15\R.\KsZk XgYw%[dLox;B鞐ք1x*B 'UٜAGu DZ!դ #ŸxŃ'5̈'50~fB׵avDWe|W@O[fkwg,R%YՉ<] mݹ^!5&<9ڢ#2)Xde|}y -@kl/3 OK3$UX] 06a8ì&W/ժo_+)Z{g}搯kJMUAQ4l*p\jԝYc@I'`9Ekѽf=/'=wyKjmݷIt=\* ELIߚ,,Wji#TJ u7;xĆ}o@ON cˡ%}^kپw \,U~)1s)?/0ޛK{EMZ^[AO5XNtDQJNDڬJ]kV*Fw"E<>#4=/Ww3=޶4JYqlkΉ0;Rp3'';  D"y԰t|G*_[Ez%r=&=Yw=X>K`.jJGh-;PbG2O׈1o c%k)rUewޠ~z*ޟOhg~fnwZ]~NȚZGt BJ t^],ԝ}p\pbȣVdL4"&(qTiK$<49࿿_zLq}nOKZ&{6@@P0H4o`Kۈ( /a5,ǰg&6/bNr`Jl,Q۹`bWoH$P +wdcF>b|9gI Kh$aq:PEEt0w  9n 񓔽Ԕ͍$u~{gvK) '.X`,2E<Cez{?,Gzav2x :ROLS)zy 6t(QS1U&-n 1rPh$`x=9nievtaPX{dO ( @Ka1c~Po֔J$2 >(%>gٕa)XU+SʷFyCX&*A:iJdR ?h$@F쌆xɾe;$$ ͈ɵ?ѝXf 9^9lIAstA{%E_gQ7B{{s޾ cˇ2d&SE`9,eiY)3C9lꌹ6W;́WN҈>+ah,Ώ6}(O.!jb\ũ2M؂?&ez [GG^O˧VRk!<@Vʼnt,Z9t.65BA^^[˹5 5NMo )n}>yЌLjV}Qu xS?9x]pj+ ݜr#Q;W}sOPiuI<.rg:9'Bc/ Y]~ Osl<3YNY|Y}π>g99 ,?π?re<矡sN S~g909{s#?0~99wAtsOK7G\\eSS.A{9A{9s/(O_r3+}g]AU^9U^AW9_]_zy[9rֺ۩ANy*P/nvs ؋:WK?s_r NZ&a(]a芫-5n+ ǤZu6 ys/-#y)6${(^_HyE#chto$.rd&}:i;GLwe<-7ceɂ#LXE9s8Gc_%[n3'rO=Sk{"X8SNt71 }+,sy˘!SS;N={r mGӱ[0Р_}P4lKeBghX`$fZgΣ8 !rzGrjhN4psn`'~$ RfCZִZjVU ?n'Hd6#!"2tx55ɪ"+uw9 8]V*r `" *s>P`2_7UF` Ԋz!J1 -4`֭tK1B&\Cx';!2ի2dof2EaSOCt8cKx;r$I Y8P&`.5.F^̆$>w a&ʬc 6%`ή݂l=2 gj Y(}by0\9 h7ޠMz4z<8J)g,#[ P`t{^=Ll}{錘B΄7п=߂s%(ULp(}0@xL´k:#hn3E W'ڠ֭T#[cWXn΀`@,o=,6"f9t}y x_ ˝1bra`O*{qsAnӥcX0nƝZkǂs5 D =bW< ?c[3Id .d⟒N*Maџ eF%41.n_OS˙ݱ]c 6{Nz Oa誹0g+xVb;`HIأ CO6vDk0Fs`^#cil@O咤 X1W䁝gAg|bhD~%u&$rq;atFD Xz_3WE쭨FNAc>7q> w&|[pO\Nҏm^ǨzkqRxނAR$~h~rA߬EOg'_qEf$Ο6=/5-6DwΚb'/x4]szln()y+J9*لW0UZVAoL3SY,> F_dvO~-B+*O M۰z^>K:S3U1֜/g7/;K{K9k((& ]a1KVW:.\*$+#R.ڐOF{/)0XP].X&">6LN>NCc? `fwl9Bn'!rɭh'FFp)hFN<}u<ڢu ğ?X cwH V&LtOulם8E#؍ݢF}L޴{kSsL%:Ɛ/>-S)0_p,\ftK=6C|gK_ozQڃ` Lܶ- `ꎈu6eژDR*El&f ,~sfGmr(@P 91"uz ?< v3fC &K_2uy>v/-6J~S. O3й?-R7e͌:ߏ,{QFbVCq얢e.nDY g~sxqtu2^GB~@d^X\ \xye~҅V*I,f`bQd+$*)ؐW m5'0X1+ (R{Qz7}OaN*)Asa#Dl ApF7/\29Lg=3E~1㾺[ŻwF~\ʉ.VWxozc|[70XjPtP>9.z0 LMۉkÐpai#fSS;3 [߂ ixj XXC`*F"