BlackBerry Acknowledges Two BES Security Flaws
The company says both vulnerabilities could enable remote code execution.
"The vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone," writes Help Net Security's Zeljka Zorz.
"The MDS Connection Service flaw requires an attacker to create a web page and persuade a BlackBerry smartphone user to view that page and click on a link," The H Security reports. "With the Messaging Agent flaw it is possible for an attacker to embed a specially crafted image into an email to a user of the enterprise server; it is not necessary for a user to click on anything or even attempt to view the message for the exploit to take place."
"It's important to underline that these are not vulnerabilities in BlackBerry smartphones themselves," notes Sophos' Graham Cluley. "Like other BlackBerry-related vulnerabilities we've seen in the past, the potential attack is against the BlackBerry Enterprise Server used by businesses."
"BlackBerry hasn't received any reports of attacks just yet, but urges IT administrators to update their BES software all the same," writes Engadget's Nicole Lee.