Feeds

BlackBerry squeezed by DoS security bugs

Three vulns but only one fixed

Security for virtualized datacentres

Research In Motion (RIM) has warned of a trio of vulnerabilities in its popular BlackBerry software that create a means for hackers to launch denial of service attacks. Patches are available to defend against only one of the vulnerabilities, but RIM has issued advice on how to guard against attack from the other two.

The most serious unfixed risk stems from a flaw in processing Server Routing Protocol (SRP) packets. This security bug creates a possible means to disrupt communication between BlackBerry Enterprise Server and BlackBerry Router, potentially disrupting service. A separate unpatched security bug in the handling of malformed Tiff image attachments creates a means for a remote hacker to launch denial of service attacks against the BlackBerry Attachment Service, providing an internal user is duped into viewing malicious files on a BlackBerry handheld.

The vulnerabilities have been reported in BlackBerry Enterprise Server 4.0 as well as later versions. Domino, Exchange and Novell GroupWise versions of the platform are all affected. Exploitation of the first vulnerability means a hacker needs to be able to connect to the BlackBerry Server or Router via port 3101/TCP. Shielding BlackBerry servers behind a firewall ought to thwart these attacks. Additionally, RIM advises users to exclude the processing of Tiff images as a workaround against the second threat, pending the availability of a more complete fix.

A third security bug - for which a fix has been made available - sees a BlackBerry handheld web browser vulnerable to a denial of service via a specially crafted Java Application Description (JAD) file. Users are advised to install BlackBerry device software version 4.0.2 or later to guard against attack.

Details of the vulnerabilities were outlined by FX of the Phenoelit group during a presentation at the 22nd Chaos Communication Congress in Berlin last week. US CERT has produced an overview of the vulnerabilities here.

In a statement, RIM said that it had "already developed software fixes for the issues identified by FX and, although there have been no customer reports of any actual problems, RIM has also provided temporary precautionary measures that can be taken in the meantime until customers are able to implement the software updates". ®

Protecting against web application threats using SSL

More from The Register

next story
Brit telcos warn Scots that voting Yes could lead to HEFTY bills
BT and Co: Independence vote likely to mean 'increased costs'
Phones 4u slips into administration after EE cuts ties with Brit mobe retailer
More than 5,500 jobs could be axed if rescue mission fails
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
Radio hams can encrypt, in emergencies, says Ofcom
Consultation promises new spectrum and hints at relaxed licence conditions
Turnbull: NBN won't turn your town into Silicon Valley
'People have been brainwashed to believe that their world will be changed forever if they get FTTP'
Blockbuster book lays out the first 20 years of the Smartphone Wars
Symbian's David Wood bares all. Not for the faint hearted
Bonking with Apple has POUNDED mobe operators' wallets
... into submission. Weve squeals, ditches payment plans
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.