BlackBerry Enterprise Server PDF Distiller Flaws Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1023258 |
|
SecurityTracker URL: http://securitytracker.com/id/1023258
|
|
CVE Reference:
CVE-2009-4778
(Links to External Site)
|
Updated: Apr 26 2010
|
Original Entry Date: Dec 2 2009
|
Impact:
Execution of arbitrary code via network, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 4.1.3 - 4.1.7, 5.0.0
|
Description:
A vulnerability was reported in the BlackBerry Attachment Service for the BlackBerry Enterprise Server. A remote user can cause arbitrary code to be executed on the target server.
A remote user can create a specially crafted PDF file that, when viewed by a user via a BlackBerry smartphone that is associated with a user account on the target BlackBerry Enterprise Server, will execute arbitrary code on the target server.
The vulnerability resides in the BlackBerry Attachment Service.
BlackBerry Professional Software 4.1 Service Pack 4 (4.1.4) is also affected.
|
Impact:
A remote user can create a PDF file that, when viewed by a user, will execute arbitrary code on the target server.
|
Solution:
The vendor has issued a fix [quoted].
For BlackBerry Enterprise Server version 5.0 for Microsoft Exchange and IBM Lotus Domino
* Visit http://www.blackberry.com/go/serverdownloads to upgrade to BlackBerry Enterprise Server Version 5.0.1 or later, or obtain Interim Security Update 3 for BlackBerry Enterprise Server software version 5.0.0.
For BlackBerry Enterprise Server version 4.1.7 for Microsoft Exchange and IBM Lotus Domino
* Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Update 1 for BlackBerry Enterprise Server software version 4.1.7.
For BlackBerry Enterprise Server version 4.1.6 for Microsoft Exchange and IBM Lotus Domino
* Visit http://www.blackberry.com/go/serverdownloads to upgrade to BlackBerry Enterprise Server Version 4.1.6 MR8 or later.
For BlackBerry Enterprise Server version 4.1.6 for Novell GroupWise
* Visit http://www.blackberry.com/go/serverdownloads to upgrade to BlackBerry Enterprise Server Version 4.1.6 MR6 or later.
For BlackBerry Enterprise Server version 4.1.4
* Visit http://www.blackberry.com/go/serverdownloads to upgrade to BlackBerry Enterprise Server Version 4.1.6 MR8 or later, or obtain Interim Security Update 5 for BlackBerry Enterprise Server software version 4.1.4.
For BlackBerry Professional Software
* Visit http://na.blackberry.com/eng/support/downloads/#tab_professional to obtain Interim Security Update 5 for affected BlackBerry Professional Software versions.
The vendor's advisory is available at:
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB19860
|
Vendor URL: www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB19860 (Links to External Site)
|
Cause:
Not specified
|
Underlying OS:
Windows (2000), Windows (2003), Windows (2008)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 02 Dec 2009 00:00:32 +0000
Subject: BlackBerry Enterprise Server
|
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB19860
KB19860
Vulnerabilities in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server
|
|
