BlackBerry advises blocking PDFs until flaw is fixed
The flaw -- which drew a severity score of 9 out of 10 -- could be exploited if attackers are able to trick a user into opening a malicious PDF file attachment as part of an email, according to a BlackBerry advisory. If a user opens the specially crafted file, arbitrary code could execute and compromise the enterprise server running the BlackBerry Attachment Service.
That service is responsible for processing attachments for the devices.
As a result, Research in Motion, the smartphone's maker, is advising businesses to block the attachment service from processing PDF files.
"You can [do this] by editing the list of file format extensions that the [service] opens, and then preventing the PDF attachment distiller from running on the [service]," the BlackBerry advisory said.
The company has not issued a timeline for a fix.
But Dan Hoffman, chief technology officer at SMobile Systems, a mobile security firm, told SCMagazineUS.com on Wednesday that businesses should be proactive and install security solutions on their devices to help detect and block these kinds of threats.
"These devices are computers," Hoffman said. "They have the exact same functionality as a laptop or desktop computer. People wouldn't think about having their PC directly connected to the internet without anti-virus or a firewall."
But Sean Moshir, chief executive officer of mobile application developer CellTrust, said organizations should not worry because this vulnerability affects the server and is not device-specific.
"This is a more of a job for the IT staff than the end-user being worried about," he told SCMagazineUS.com on Wednesday.
Hoffman said attacks targeting smartphones may already be happening in large numbers but there is no way to currently track infection rates. Exploits will grow even more when cybercriminals decide the financial motivation is great enough to attack handhelds.