Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Security Strategy, Plan, Budget, Vulnerability Management, Patch/Configuration Management, Incident Response, TDR, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

BlackBerry advises blocking PDFs until flaw is fixed

A major vulnerability in the BlackBerry Attachment Service could result in a takedown of the enterprise server that supports the popular mobile devices.

The flaw -- which drew a severity score of 9 out of 10 -- could be exploited if attackers are able to trick a user into opening a malicious PDF file attachment as part of an email, according to a BlackBerry advisory. If a user opens the specially crafted file, arbitrary codecould execute and compromise the enterprise server running the BlackBerryAttachment Service.

That service is responsible for processing attachments for the devices.

As a result, Research in Motion, the smartphone's maker, is advising businesses to block the attachment service from processing PDF files.

"You can [do this] by editing the list of file format extensions that the [service] opens, and then preventing the PDF attachment distiller from running on the [service]," the BlackBerry advisory said.

The company has not issued a timeline for a fix.

But Dan Hoffman, chief technology officer at SMobile Systems, a mobile security firm, told on Wednesday that businesses should be proactive and install security solutions on their devices to help detect and block these kinds of threats.

"These devices are computers," Hoffman said. "They have the exact same functionality as a laptop or desktop computer. People wouldn't think about having their PC directly connected to the internet without anti-virus or a firewall."

But Sean Moshir, chief executive officer of mobile application developer CellTrust, said organizations should not worry because this vulnerability affects the server and is not device-specific.

"This is a more of a job for the IT staff than the end-user being worried about," he told on Wednesday.

Hoffman said attacks targeting smartphones may already be happening in largenumbers but there is no way to currently track infection rates.Exploits will grow even more when cybercriminals decide the financialmotivation is great enough to attack handhelds.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.