BlackBerry Server Can Be Hacked With Image File

Trailrunner7 writes "There are remotely and easily exploitable vulnerabilities in the BlackBerry Enterprise Server that could allow an attacker to gain access to the server by simply sending a malicious image file to a user's BlackBerry device. The vulnerabilities are in several version of BES for Exchange, Lotus Domino and Novell GroupWise, and Research in Motion said that an attacker who is able to exploit one of the bugs might also be able to move from the compromised BES server to other parts of the network."

It's A Trade Off

[WrongSizeGlass]

Sure my client's BES could be hacked with an image file, but the image is of a really hot chick, so it's a fair trade.

Re:

[Anonymous Coward]

You made me click on the TFA with your comment!

I am sad. There is no hot chick in TFA... :(

Re:

[girlintraining]

Sure my client's BES could be hacked with an image file, but the image is of a really hot chick, so it's a fair trade.

That's pretty sexist. Only about half the population would appreciate that.

Re:

[Anubis350]

To be fair, *if* the GP were assuming that approx. 50% of the pop is male, 50% female, and that there are approximately similar numbers of gays and lesbians (no idea if that's in any way true or not), the comment would make perfect sense without being homophobic...

Re:

[jmac_the_man]

To be even more fair, the question was about "is into chicks." If gays and lesbians occur with the same frequency in the population of men and women, respectively, they would cancel each other out. But if bisexuals ALSO occur with the same frequency regardless of gender, they don't cancel each other out, but instead that number counds twice.

Re:

[Anubis350]

unless there's enough asexuals to cancel them out :-p

Re:

[Scott Scott]

Actually, anyone who's read girlintraining's user page would know she's anything but homophobic.

(Did someone say something about glass houses?)

Re:

[drinkypoo]

That's a lot of crap, there are tons of (straight) women who look at the pictures in Playboy because they can appreciate a pretty woman, but virtually no (straight) men who will even open a copy of Playgirl.

It's all about the image

[SilverHatHacker]

1. Send goatse image to BB.
2. BB holder frozen in shock.
3. Walk up to frozen holder, appropriate keys/saved passwords/etc.
4. ???
5. Profit!

Re:

[Kell Bengal]

Obvious goatse troll is obvious.

Re:

[Pseudonym Authority]

I knew it was goatse and still clicked. What kind of effeminate pansy is still shocked by goatse after all these years. For fucks sakes this is the internet. At least link to Last Measure [nimp.org] so that the jews.wma will annoy people. (And it's run by the GNAA, a fine organization with a deep and fulfilling history on slashdot.)

Re:

[Pseudonym Authority]

Well, one particularly nasty person posted some CP of a kid being raped a while back, during a discussion on Tor vulnerabilities (I think). /. is total garbage when it comes to search, so I can't point you to it until CmdrTaco gets off his ass to fix it. If you are really serious about the road you are taking, you could always try that. May be hard to avoid prison with though. Not to mention that it kinda crosses the lines from asshole to monster pretty quick. Might want to leave that to the /b/tards.

Good

Re:

[Taty'sEyes]

I'm a little disturbed by your opinion of SFW. What type of work do you do exactly?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[That Guy From Mrktng]

This is your hipster server [superstock.com] Steaming Chrome Racks baby!

Re:

[belg4mit]

No, they certified the (stupidly named) PlayBook tablet.

A Malicious Image File eh?

[Anubis350]

I always knew we needed an emoticon for "pwned!"

Do they think I'm stupid?

[MacGyver2210]

So you want me to click a link to an article about hacking via image files...?

*opens lynx*

This article is illegal!

[xmorg]

This article violates teh DMCA and has been sent to the DHS for immediate action against the terrorists who wrote it.
All those involved will be hand molested by the TSA before being sent to Guantanamo bay.

Sad is how negative this was written!

[Anonymous Coward]

RIM announced the problem, WITH the solution, it wasn't. Announced by a 3rd party, so RIM remains dedicated to security.

The problem is on servers, not on devices, maintaining device security. One would need intimate knowledge of the BES set up to actually extract information from the server.

Their communication between device and server has yet to be hacked

Re:

[Alex Zepeda]

I think you forgot the quotes around "security". As long as they're decrypting stuff voluntarily for various governments, there's nothing secure about it.

The servers control the devices.

[apparently]

While this may be true:

Their communication between device and server has yet to be hacked

This isn't:

One would need intimate knowledge of the BES set up to actually extract information from the server.

Their communication between device and server has yet to be hacked

From the KB warning:

"Vulnerabilities exist in how the BlackBerry MDS Connection Service and the BlackBerry Messaging Agent process PNG and TIFF images for rendering on the BlackBerry smartphone. Successful exploitation of any of these vulnerabilities might allow an attacker to gain access to and execute code on the BlackBerry Enterprise Server. Depending on the privileges available to the configured BlackBerry Enterprise Server service account."

Access to the besadmin a

Re:

[kevinmenzel]

But what is true is that the Slashdot editors or the submitter has decided that instead of even mentioning the patch, they would just focus on the exploit.

Strange of course, as the source material for this post is titled "Severe Remote Flaw Fixed in BlackBerry Enterprise Server", and the source for THAT article does indeed include the patch itself.

Re:

[lennier]

But what is true is that the Slashdot editors or the submitter has decided that instead of even mentioning the patch, they would just focus on the exploit.

But of course the patch has automagically applied itself to every BES server in the world, instantly, leaving no window of vulnerability while sysadmins scramble to apply it.

I mean, that's what patches do, right?

TNG

[Kebis]

Isn't this exploit pretty much what Captain Picard wanted to do to the Borg in the episode with Hue?

This hasn't been a problem for a while

[narcc]

RIM shipped a patch for these vulnerabilities almost a week ago. The headline should read "Blackberry Server Can't Be Hacked With Image File"

That's right, this was discovered and fixed long before it could become a problem. That's what I expect from RIM's best-in-class security.