A Picture Is Worth a Thousand Exploits
Well maybe not a thousand, but enough to get someone in trouble. Blackberry released the news this week of a proof of concept vulnerability that was found in the way their Blackberry Enterprise Servers handled Tiff image files. It was found that an attacker can craft a custom Tiff image by inserting malicious code into image that would execute on the BES server when the end user viewed the file. The attacker could send the custom Tiff image to a Blackberry user as an attachment or embedded in an email. If it comes as an attachment the end user would have to open and view the image for the code to run, however if the image was embedded, the user would simply need to open the email. After the code runs and successfully exploits the BES server, it would then allow for further remote code execution by the attacker. This could result in stolen data, an outage for all users on the system, or essentially anything else an attacker could think of.
This is a bit of a twist on normal exploitation simply because the malicious code is actually inside of an image, something that hasn’t really been done before. Sure, attackers have used executables that pretend to be images, or hide malicious URLs behind image links, but they haven’t been able to use the image itself before now. Granted this current vulnerability is limited to Blackberry Enterprise Servers running any version below BES 5.0.4 MR2, but it is going to give people another thing to think about now since the days when all images were essentially safe files* are apparently over.
Everyone out there running a BES server should check their systems and if needed, upgrade to version 5.0.4 MR2 or download and install RIM’s interim security update for their appropriate architecture here http://www.blackberry.com/go/serverdownloads.