Feeds

BlackBerry squeezed by DoS security bugs

Three vulns but only one fixed

Intelligent flash storage arrays

Research In Motion (RIM) has warned of a trio of vulnerabilities in its popular BlackBerry software that create a means for hackers to launch denial of service attacks. Patches are available to defend against only one of the vulnerabilities, but RIM has issued advice on how to guard against attack from the other two.

The most serious unfixed risk stems from a flaw in processing Server Routing Protocol (SRP) packets. This security bug creates a possible means to disrupt communication between BlackBerry Enterprise Server and BlackBerry Router, potentially disrupting service. A separate unpatched security bug in the handling of malformed Tiff image attachments creates a means for a remote hacker to launch denial of service attacks against the BlackBerry Attachment Service, providing an internal user is duped into viewing malicious files on a BlackBerry handheld.

The vulnerabilities have been reported in BlackBerry Enterprise Server 4.0 as well as later versions. Domino, Exchange and Novell GroupWise versions of the platform are all affected. Exploitation of the first vulnerability means a hacker needs to be able to connect to the BlackBerry Server or Router via port 3101/TCP. Shielding BlackBerry servers behind a firewall ought to thwart these attacks. Additionally, RIM advises users to exclude the processing of Tiff images as a workaround against the second threat, pending the availability of a more complete fix.

A third security bug - for which a fix has been made available - sees a BlackBerry handheld web browser vulnerable to a denial of service via a specially crafted Java Application Description (JAD) file. Users are advised to install BlackBerry device software version 4.0.2 or later to guard against attack.

Details of the vulnerabilities were outlined by FX of the Phenoelit group during a presentation at the 22nd Chaos Communication Congress in Berlin last week. US CERT has produced an overview of the vulnerabilities here.

In a statement, RIM said that it had "already developed software fixes for the issues identified by FX and, although there have been no customer reports of any actual problems, RIM has also provided temporary precautionary measures that can be taken in the meantime until customers are able to implement the software updates". ®

Security for virtualized datacentres

More from The Register

next story
TEEN RAMPAGE: Kids in iPhone 6 'Will it bend' YouTube 'prank'
iPhones bent in Norwich? As if the place wasn't weird enough
Consumers agree to give up first-born child for free Wi-Fi – survey
This Herod network's ace – but crap reception in bullrushes
Crouching tiger, FAST ASLEEP dragon: Smugglers can't shift iPhone 6s
China's grey market reports 'sluggish' sales of Apple mobe
Sea-Me-We 5 construction starts
New sub cable to go live 2016
New EU digi-commish struggles with concepts of net neutrality
Oettinger all about the infrastructure – but not big on substance
EE coughs to BROKEN data usage metrics BLUNDER that short-changes customers
Carrier apologises for 'inflated' measurements cockup
Comcast: Help, help, FCC. Netflix and pals are EXTORTIONISTS
The others guys are being mean so therefore ... monopoly all good, yeah?
Surprise: if you work from home you need the Internet
Buffer-rage sends Aussies out to experience road rage
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.