RealTime IT News

Security Holes Patched in BlackBerry Enterprise Server

Wireless device maker Research in Motion (RIM) has released a new version of its BlackBerry Enterprise Server for Microsoft Exchange to fix a series of security vulnerabilities.

An advisory from the Ontario, Canada-based RIM urged IT admins to apply the BlackBerry Enterprise Server 3.6 Service Pack 1a for Microsoft Exchange to plug a denial-of-service hole and password bypass vulnerabilities.

The BlackBerry Enterprise Server is a crucial part of RIM's aggressive push into the enterprise PDA market. The Enterprise Server lets IT departments connect Microsoft Exchange or Lotus Notes/Domino servers to a wireless carrier to allow for corporate e-mail delivery.

The company said the service pack upgrade fixes a bug that causes the server to consume 100% CPU resources in several minutes when handling extremely large PDF documents.

It also addresses some errors in the handling of password-protected attachments. In some instances, when multiple users receive an email with a password-protected attachment and a user enters a correct password, RIM warned that a vulnerability allowed other recipients to view the attachment without supplying the password.

Additionally, if a user receives a Blackberry e-mail with a password-protected attachment and supplies the correct password, then the user doesn't have to supply the password when receiving subsequent e-mails with the same attachment.

It also fixes an issue that caused a DoS scenario if S/MIME encryption protocol is enabled or disabled on a Blackberry Enterprise Server.

"When a user is being moved between BlackBerry Enterprise Servers, no warning appears if the user could not be added to the new BlackBerry Enterprise Server. If the move fails, the user is removed from the original BlackBerry Enterprise Server but is not added to the new BlackBerry Enterprise Server. The user will appear to still be on the original BlackBerry Enterprise Server," RIM explained in the detailed advisory.

The Service Pack 1a also includes numerous bug fixes related to the smooth running of the Enterprise Server.