January 13, 2009, 2:11 PM — Research In Motion issued a software update to address a vulnerability that could let a hacker send malicious code in a PDF file.
The update, released on Monday, fixes multiple vulnerabilities in the way that the BlackBerry Attachment Service handles certain PDF (Portable Document Format) files. The attachment service, a component of the BlackBerry Enterprise Service, displays e-mail attachments such as PDF, Word, PowerPoint, Excel and HTML files for BlackBerry users.
The vulnerabilities could let a hacker send an e-mail message with a PDF file that, when opened by a BlackBerry user, could cause memory corruption or launch code on the computer that hosts the BlackBerry Attachment Service, RIM said in the security advisory.
The problem affects some versions of the BlackBerry Enterprise Server and BlackBerry Professional Software, the offering designed for small and medium businesses.
RIM also offered some tips on other ways to prevent an attack based on the vulnerability, which some companies could employ while they prepare to issue the patch. An enterprise can prevent the attachment service from processing and opening PDFs. BlackBerry users can also run the attachment service on a computer in an isolated network segment, which would prevent the spread of a potential attack across a network.
RIM credited Sean Larsson of iDefense Labs for reporting the issue.
