Gtron Solutions, LLC

Crafted Portable Document Format files can allow an attacker to gain control of a BlackBerry server. BlackBerry vendor RIM says the bug is in the PDF Distiller component of the Attachment Service, which runs on the server and prepares PDF email attachments for display on a BlackBerry handheld. It seems the bug is only triggered when a user opens the PDF on their BlackBerry handheld.

BlackBerry Enterprise Server 4.1 Service Pack 3 (4.1.3) to 4.1 Service Pack 5 (4.1.5) and BlackBerry Unite! prior to 1.0 Service Pack 1 (1.0.1) Bundle 36 are affected. Whilst the problem has been fixed in BlackBerry Unite from bundle 36, according to the vendor no patch or update is as yet available for Enterprise Server.

As a workaround, RIM recommends disabling PDF processing in the Attachment Service. As RIM gives the security vulnerability a score of 9.0 out of a maximum of 10, administrators are advised to take rapid action.