The second BlackBerry security advisory released yesterday relates to yet another flaw in the PDF Distiller component of RIM's BlackBerry Enterprise Server. Issues with the troublesome BES PDF distiller have been identified as "severe" risks in at least five different RIM security advisories since the summer of 2008. (Read about the last PDF-Distiller-related security advisory, issued just last month.)
"The vulnerability could allow a malicious individual to cause buffer overflow errors, which may result in arbitrary code execution on the computer that hosts the BlackBerry Attachment Service. While code execution is possible, an attack is more likely to result in the PDF rendering process terminating before it completes. In the event of such an unexpected process termination, the PDF rendering process will restart automatically but will not resume processing the same PDF file."
"Successful exploitation of this vulnerability requires a malicious individual to persuade a BlackBerry smartphone user to open a specially crafted PDF file on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server. The PDF file may be attached to an email message or the BlackBerry smartphone user may retrieve it from a web site using the BlackBerry Browser."
This latest security advisory has highest CVSS score I've seen tied to any such BlackBerry warning, 9.3 out of 10, with 10 representing the most severe threats. RIM says any and all BlackBerry administrators running full BES, BES Express or BlackBerry Professional Software for Microsoft Exchange, IBM Lotus Domino or Novell GroupWise should visit its server downloads page to see if a security update is available.