Blackberry users warned about unpatched PDF bug

RIM has warned users about a critical vulnerability in its BlackBerry Enterprise Server that could be used to hack their company's computers.

The US Computer Emergency Readiness Team (US-CERT), part of the Department of Homeland Security, also posted an alert after RIM had issued two security advisories. A patch is not yet available, but RIM said the problem had been "escalated internally to our development team."

A bug in the PDF distiller component of the BlackBerry Attachment Service, which runs on the BlackBerry Enterprise Server (BES), affects how the popular Adobe document format is processed on the server, said RIM in one of the advisories. The server running BES, not individual BlackBerry devices, is at risk, although an attack would involve a BlackBerry.

Malicious PDFs attached to email messages could "cause arbitrary code to execute on the computer that the BlackBerry Attachment Service runs on," the RIM warning said. "If a BlackBerry smart phone user on a BlackBerry Enterprise Server opens and views the specially crafted PDF file attachment on the BlackBerry smart phone, the arbitrary code execution could compromise the computer."

RIM posted workaround instructions for enterprise administrators that would prevent an attack by blocking PDF processing on a BES system.