If you’re the IT admin for managing devices on a BlackBerry Enterprise Server you’ll want to pay close attention. Vulnerabilities exist that could allow remote hackers to run malicious code on the BlackBerry Enterprise Server (BES) software.

The vulnerability, which has been rated as “high severity”, involves how BlackBerry’s enterprise software handles TIFF image files on webpages, in emails, and in instant messages.

BlackBerry’s advisory note:

Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process TIFF images for rendering on the BlackBerry smartphone.

Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server.

Depending on the privileges available to the configured BlackBerry Enterprise Server service account, the attacker might also be able to extend access to other non-segmented parts of the network.

Essentially, a malicious hacker could create a boobytrapped TIFF image file and either trick a BlackBerry smartphone user into visiting a webpage carrying the image, or embed the malicious image directly into an email or instant message.

Even scarier, the BlackBerry Messaging Agent flaw does not even require a user to click on a link or view an email for the attack to succeed.

What should be understood is this is not a vulnerability with the BlackBerry smartphones. This is only affecting the BlackBerry Enterprise Servers used by businesses.

via Sophos