Security Holes Patched in BlackBerry Enterprise Server

Wireless device maker Research in Motion (RIM) has
released a new version of its BlackBerry Enterprise Server for Microsoft
Exchange to fix a series of security vulnerabilities.

An advisory from the Ontario, Canada-based RIM urged IT admins to apply
the BlackBerry Enterprise Server 3.6 Service Pack 1a for Microsoft Exchange to plug a denial-of-service
hole and password bypass vulnerabilities.

The BlackBerry Enterprise Server is a crucial part of RIM’s aggressive
into the enterprise PDA market. The Enterprise Server lets IT
departments connect Microsoft Exchange or Lotus Notes/Domino servers to a
wireless carrier to allow for corporate e-mail delivery.

The company said the service pack upgrade fixes a bug that causes the
server to consume 100% CPU resources in several minutes when handling
extremely large PDF documents.

It also addresses some errors in the handling of password-protected
attachments. In some instances, when multiple users receive an email with a
password-protected attachment and a user enters a correct password, RIM
warned that a vulnerability allowed other recipients to view the attachment
without supplying the password.

Additionally, if a user receives a Blackberry e-mail with a
password-protected attachment and supplies the correct password, then the
user doesn’t have to supply the password when receiving subsequent e-mails
with the same attachment.

It also fixes an issue that caused a DoS scenario if S/MIME encryption
protocol is enabled or disabled on a Blackberry Enterprise Server.

“When a user is being moved between BlackBerry Enterprise Servers, no
warning appears if the user could not be added to the new BlackBerry
Enterprise Server. If the move fails, the user is removed from the original
BlackBerry Enterprise Server but is not added to the new BlackBerry
Enterprise Server. The user will appear to still be on the original
BlackBerry Enterprise Server,” RIM explained in the detailed advisory.

The Service Pack 1a also includes numerous bug fixes related to the
smooth running of the Enterprise Server.

News Around the Web