Technical Description

Multiple vulnerabilities have been identified in various BlackBerry products, which could be exploited by attackers to compromise a vulnerable device. These issues are caused by memory corruption errors in the PDF distiller of the BlackBerry Attachment Service component when processing malformed PDF files, which could be exploited by attackers to crash an affected service or execute arbitrary code with SYSTEM privileges by tricking a user into opening a malicious PDF document.

Affected Products

BlackBerry Enterprise Server software versions 4.1 Service Pack 3 (4.1.3) through 5.0
BlackBerry Professional Software version 4.1 Service Pack 4 (4.1.4)

Solution

BlackBerry Enterprise Server 5.0 - Apply Interim Security Update 2 :
http://www.blackberry.com/go/serverdownloads

BlackBerry Enterprise Server 4.1.x - Apply Interim Security Update 4 :
http://www.blackberry.com/go/serverdownloads

BlackBerry Professional Software - Apply Interim Security Update 4 :
http://na.blackberry.com/eng/support/downloads/

References

http://www.vupen.com/english/advisories/2009/1429
http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB18327

Credits

Vulnerabilities reported by the vendor.

ChangeLog

2009-05-27 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts with CVE, CWE, and CVSS when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.