SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   BlackBerry Enterprise Server Vendors:   Research In Motion Limited
BlackBerry Enterprise Server PDF Distiller Flaws Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1023258
SecurityTracker URL:  http://securitytracker.com/id/1023258
CVE Reference:   CVE-2009-4778   (Links to External Site)
Updated:  Apr 26 2010
Original Entry Date:  Dec 2 2009
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.1.3 - 4.1.7, 5.0.0
Description:   A vulnerability was reported in the BlackBerry Attachment Service for the BlackBerry Enterprise Server. A remote user can cause arbitrary code to be executed on the target server.

A remote user can create a specially crafted PDF file that, when viewed by a user via a BlackBerry smartphone that is associated with a user account on the target BlackBerry Enterprise Server, will execute arbitrary code on the target server.

The vulnerability resides in the BlackBerry Attachment Service.

BlackBerry Professional Software 4.1 Service Pack 4 (4.1.4) is also affected.

Impact:   A remote user can create a PDF file that, when viewed by a user, will execute arbitrary code on the target server.
Solution:   The vendor has issued a fix [quoted].

For BlackBerry Enterprise Server version 5.0 for Microsoft Exchange and IBM Lotus Domino

* Visit http://www.blackberry.com/go/serverdownloads to upgrade to BlackBerry Enterprise Server Version 5.0.1 or later, or obtain Interim Security Update 3 for BlackBerry Enterprise Server software version 5.0.0.

For BlackBerry Enterprise Server version 4.1.7 for Microsoft Exchange and IBM Lotus Domino

* Visit http://www.blackberry.com/go/serverdownloads to obtain Interim Security Update 1 for BlackBerry Enterprise Server software version 4.1.7.

For BlackBerry Enterprise Server version 4.1.6 for Microsoft Exchange and IBM Lotus Domino

* Visit http://www.blackberry.com/go/serverdownloads to upgrade to BlackBerry Enterprise Server Version 4.1.6 MR8 or later.

For BlackBerry Enterprise Server version 4.1.6 for Novell GroupWise

* Visit http://www.blackberry.com/go/serverdownloads to upgrade to BlackBerry Enterprise Server Version 4.1.6 MR6 or later.

For BlackBerry Enterprise Server version 4.1.4

* Visit http://www.blackberry.com/go/serverdownloads to upgrade to BlackBerry Enterprise Server Version 4.1.6 MR8 or later, or obtain Interim Security Update 5 for BlackBerry Enterprise Server software version 4.1.4.

For BlackBerry Professional Software

* Visit http://na.blackberry.com/eng/support/downloads/#tab_professional to obtain Interim Security Update 5 for affected BlackBerry Professional Software versions.

The vendor's advisory is available at:

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB19860

Vendor URL:  www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB19860 (Links to External Site)
Cause:   Not specified
Underlying OS:   Windows (2000), Windows (2003), Windows (2008)

Message History:   None.


 Source Message Contents

Date:  Wed, 02 Dec 2009 00:00:32 +0000
Subject:  BlackBerry Enterprise Server


http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB19860

KB19860

Vulnerabilities in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC