Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Holes Found In RIM BlackBerry Service

Posted by Zonk on from the rim-just-cannot-catch-a-break dept.

An anonymous reader writes "Researchers have found several security holes in Blackberry handheld devices and the servers that power them, according to a story at Washingtonpost.com. The research points out serious flaws in the BlackBerry server, which could be exploited by convincing Blackberry handheld users to click on an image file attachment. From the article: 'Lindner's slides from his presentation -- which he agreed not to release until RIM has fully fixed this problem -- show that the Blackberry server which manages all of the encryption keys needed to unscramble e-mail traffic to and from all Blackberry devices registered on the network stores them on a Microsoft SQL database server in plain, unencrypted text. Lindner found that by convincing a Blackberry user to click on a special image attachment, that handheld device could be made to pass on malicious code to the Blackberry server, which could then be taken over and used to intercept e-mails or as a staging point for other attacks within the network.'"

89 comments

  1. This gives a whole new meaning to... by Oldsmobile · · Score: 0, Offtopic

    This gives a whole new meaning to getting a RIMming...

    --
    Some say he is made with ascii, others that he is eyeballed daily by millions. All we know is, he is known as the Sig
  2. Ha! by JonN · · Score: 4, Funny
    That will teach them no good thiefs to use patented technology! Never know what you're gonna get

    *watches the karma drop* btw I'm a RIM supporter

    --
    do.what.promptcmds
    1. Re:Ha! by Anonymous Coward · · Score: 0

      Someone is desperately vying for a co-op position at RIM I see...

  3. How could they let this slip? by Kasracer · · Score: 1, Informative

    I'm no SQL guru, but even I know how to avoid these kinds of attacks. Plus, storing information like that in plain text is just... dumb.

    1. Re:How could they let this slip? by WebCrapper · · Score: 3, Interesting

      What gets me is they're using a natoriously insecure OS, with clear text values in the database... Thats just asking for more trouble than you can get in.

    2. Re:How could they let this slip? by Anonymous Coward · · Score: 3, Informative

      I'm not really sure when the change happened, but the SQL server upgrade happened at version 4.0...previously the enterprise server did not use SQL. This is probably the only reason it took so long to find the flaw.

      BTW version 4 is causing duplicate calendar and address book entries for lotus notes users (all 800 of our blackberries are showing this bug yah!). We are debating going back to 3.6 as 4.0 only added wireless synch for address and memo dbs for the user. Not that big of a deal to plug it into a pc once in a while vs. getting duplicate entries.

    3. Re:How could they let this slip? by Eric+Giguere · · Score: 1

      No, that's wrong. You're probably confusing the fact that the BES used to ship with MSDE, the free/lite version of SQL Server. MSDE as a product has been replaced with SQL Server 2005 Express.

      Eric
      Some BlackBerry stuff (not much)

  4. Good thing... by metaomni · · Score: 0

    ... they're being patented out of existence. Sure makes things like this a little less serious, in that Office Space sort of way.

    1. Re:Good thing... by Doctor+Memory · · Score: 4, Insightful

      Um, you might want to check back more often, latest news is that the Patent Office has admitted it will probably invalidate all of the patents held by NTP that are at the heart of the BlackBerry patent dispute. This will clear the way for RIM to resume "business as usual".

      --
      Just junk food for thought...
    2. Re:Good thing... by Anonymous Coward · · Score: -1, Troll

      Nice to see that if you are a "big Guy" (tm) you can get patents invalidated that seem to bother you.

      now if the patents are invalidated AND put in the public domain then I'll be happy. but i am betting that patents by RIM are sitting there waiting to be submitted the second the others are invalidated.

      RIm is not a bunch of "nice guys".

    3. Re:Good thing... by Enforce1 · · Score: 1

      Wanna go to Tchotskis? I got a virus on my Blackberry, and if I don't get outta here, i'm gonna lose it

    4. Re:Good thing... by pete6677 · · Score: 1

      I wonder what type of recourse RIM would have against NTP for legal fees and disruption of business. NTP caused quite a bit of damage with these patents, and if they are found to be invalid I certainly hope they wouldn't be able to just get away with it.

    5. Re:Good thing... by Fishstick · · Score: 1

      would imagine they would have to prove NTP knew the patents were invalid -- could be tough

      --

      There is much cruelty in the universe, John.
      Yeah, we seem to have the tour map.

    6. Re:Good thing... by dimension6 · · Score: 1

      I think this "patenting-as-your-only-business-model" thing should be disallowed, but with all due respect, RIM knew about the patents for quite some time and did nothing about it (NTP approached RIM about the patent infrigement early on).

    7. Re:Good thing... by Anonymous Coward · · Score: 0

      RIM already has several US patents covering their system and method of wireless email delivery (Good sued RIM to try to have them invalidated, if you remember) - the fact that the NTP patents were not reference or considered Prior Art on the RIM patents should at least indicate a) the USPTO is off their rocker or b) the NTP patents shouldn't really apply to RIM's delivery model (which was their opinion when NTP initially said "give us money" back in ~2001, and to an extent still is). RIM's arguments with NTP have nothing to do with the NTP patents being "bothersome" or their not wanting to license technology, but has much more to do with the bredth of scope of the NTP patents (which is why they are currently being invalidated) combined with the outrageous royalty rate that NTP was/is asking for. NTP has already made plain that if they beat RIM they plan to force every other player in the wireless email delivery (not just "push", mind you) market pay them as well (Good and Nokia already license them, and Visto just partnered with them, so you have Seven, Smartner and MS still on the hook, as well as others). They are greedy, greedy people looking to make money off other's hard work (prototype work done in the early '90s by Mr. Campagna aside) and fully deserve the title of "Patent Troll".

  5. Only surprise here... by sarlos · · Score: 1

    ...is that it took so long to find this. Blackberries are in such wide use around government agencies, I would have hoped they would have found something like this long ago. I always have to wonder about the idiot designers and coders who create bugs like this.

    --
    Government's view of the economy: If it moves, tax it. If it keeps moving,regulate it. If it stops moving, subsidize it.
    1. Re:Only surprise here... by ArsenneLupin · · Score: 1
      Blackberries are in such wide use around government agencies, I would have hoped they would have found something like this long ago.

      That should teach them to discriminate against the Irish! Had they had fairer hiring standards, they would have discovered the problem long ago!

    2. Re:Only surprise here... by ja-ja-morkmorkmork · · Score: 1

      sláinte!

    3. Re:Only surprise here... by Anonymous Coward · · Score: 0

      More like O'Brien or O'Connor. (An á won't trigger an SQL injection. An apostrophe, however, will...)

  6. Imagine by Oldsmobile · · Score: 0, Offtopic

    Imagine an army of handheld zombie spamservers!

    --
    Some say he is made with ascii, others that he is eyeballed daily by millions. All we know is, he is known as the Sig
  7. Linux by Anonymous Coward · · Score: 0

    That's exactly why I use my Sharp Zaurus Linux handheld with 802.11b CF card and connect to the IMAP server I administrate myself. Never really understood why RIM existed. $80 a month to be hacked and sued?

    1. Re:Linux by eponymouse · · Score: 1

      ...because your IMAP server never has bugs? 802.11b = EDGE? Know your s#!7 before you open your mouth.

  8. eh by HeWhoRoams · · Score: 1

    I think that publishing an exploit where the user has to receive a corrupt tagged TIFF file is just making the problem into a bigger issue.
    The article says it only affects certain versions of the servers, and than only a certain, corrupt image file. THAN it only prevents you from getting other attachments.
    Not exactly a big deal in my book (of course we use palms anyway, haha)

    1. Re:eh by Anonymous Coward · · Score: -1, Troll

      Please learn the difference between 'then' and 'than'. Thanks.

    2. Re:eh by Kasracer · · Score: 0

      The article describes what sounds like an SQL injection attack, which is far more serious.

    3. Re:eh by Anonymous Coward · · Score: 0

      Neither you nor the article submitter is thinking clearly. This flaw also means that Blackberry end users (or anyone else with physical access to one) on can PWNZ0R the server and everyone's data.

  9. RIM by tabooli · · Score: -1, Flamebait

    this type of bonehead mistake is a perfect example of what happens when you use RIM's hiring policies..

    it is my understanding that they actively recruit and employ people straight from the comp sci departments at nearby universities. I've seen job postings from them over the years, and have always been irked by their education requirements (none of which I meet, of course)

    when I know they are hiring newbs from U of W that don't know their ass from a hole in the ground, this sort of thing is not a surprise to me!

    1. Re:RIM by JonN · · Score: 1
      when I know they are hiring newbs from U of W that don't know their ass from a hole in the ground, this sort of thing is not a surprise to me!

      Interesting because UofW has an amazing Computer Science program, is reknown for the quality of the co-op students that they send out, and is one of the largest sources for technology labour in Canada.

      --
      do.what.promptcmds
    2. Re:RIM by CosmeticLobotamy · · Score: 1

      Exactly. No one should be able to get a job until they've had a job. That'll fix everything.

    3. Re:RIM by incast · · Score: 4, Interesting

      I used to work at RIM, and if you honestly think that it is mostly staffed by 23 year olds, you are mistaken. The vast majority of folks at RIM are not fresh out of undergrad and the technical genius that does exist there is indeed very impressive (I worked on the business side, not the tech side.. and the tech guys really know what they're doing). And further, if you honestly think that Lazaridis and Balsillie run the type of place where major design decisions are made by junior people, I'm not surprised that you don't have the qualifications to get a job there.

      The fact that they made a small design mistake isn't really that surprising. These things happen all the time. Their response is what's important going forward, and I (as a current BB user) have faith that they will quickly patch this up and move on.

    4. Re:RIM by Kasracer · · Score: 1, Interesting

      They obviously don't know what they're doing if ANYONE using a BlackBerry can use an SQL Injection Attack on their own server. This is extremely easy to check for. Just like buffer overflow attacks. There is no reason why either should exist except for either laziness or pure stupidity.

      They made two big mistakes with their design. This kind of thing should be surprising. If they're selling a product used in millions of businesses, it has to be secure. Storing important information in unencrypted text and not taking the time to add a few more lines of code to do some verification before submitting anything to the database is inexcusable.

    5. Re:RIM by incast · · Score: 1

      You make several good points. As I said, I'm not fully familiar with all of the advanced technical details of the system (I worked in Marketing). My guess is that this story is blown a wee bit out of proportion, or someone just got a bit sloppy on implementation or something along those lines. I would be genuniely surprised if someone seriously dropped the ball on this.. it just isn't how BlackBerry does business. (Although they do seem to be a bit more "push it out the door" than they may have been two years ago when I worked there.)

      My original point (if you take out the negativity focussed at the parent) was that this stuff happens in software and I'm sure it will get fixed soon.

      Just to follow up on your other point -- BlackBerry is held by governments and independent audiors as being ridiculously secure. It is one of if not the only wireless email solution that is FIPS-140 cerified, amongst its other security certifications.


      http://www.blackberry.net/products/software/server /groupwise/security.shtml is my source and a good starting point to read more about BlackBerry security. This page is far too buried on the site if you ask me...

      Have a good one.

    6. Re:RIM by tabooli · · Score: 1, Insightful

      this is not a SMALL design mistake.. this is a HUGE GLARING ERROR. perhaps you thinking "they made a small design mistake" explains why you worked in the marketing department.

      If the vast majority of the tech side is "very impressive" then this mistake wouldn't have been made, the structure and design of these systems should have been done in a team environment, and someone with experience should have flagged this in the very beginning.

      there is, of course, a place for fresh grads, but it should be working along side seasoned professionals. Also, I don't think that age is a factor: 43 or 23, if you have 4 years of university under your belt, you're on your way to a good career, but you likely do not have the knowledge and know-how to replace someone with years of work "in the field"

    7. Re:RIM by eponymouse · · Score: 1

      It is interesting to have an inside view of things rather than to simply criticize anonymously on the web.
      It's unfounded subjective views like these that make reading slashdot feel like a waste of time.

    8. Re:RIM by incast · · Score: 1

      See my reply to Kasracer re: "small mistake" and my slightly educated guess as to how it would happen. And I do agree that I should be on the business side, not the tech side.. if I was ever on the tech side, these sorts of stories would be a lot more common.

      I definitely agree with you re: place for new hires.. I don't think many people would disagree. What I was trying to say is that this is very much the way things are within RIM (e.g. teams working on specific projects with a range of experience and backgrounds in them). I was trying to give a more inside view to how things get done at RIM.. a fair defense given the accusation made in the parent.

      But I will also defend RIM a bit more and say that it doesn't matter whether the team is staffed entirely by folks that have been doing the job for 40 years, mistakes still happen.. the important thing isn't to gripe and whine about the problem happening, but rather to focus on a quick and effective solution. That is what is productive and that's what makes a great company great. Hopefully RIM will do just that.

      Cheers.

    9. Re:RIM by chrish · · Score: 0, Offtopic

      Woo, the best man at my wedding works at RIM...

      --
      - chrish
    10. Re:RIM by ArsenneLupin · · Score: 0, Redundant
      know their ass from a hole in the ground

      Hehe ;-)

    11. Re:RIM by ArsenneLupin · · Score: 2, Insightful
      The fact that they made a small design mistake isn't really that surprising.

      Using a Microsoft product on a server is a small design mistake?!?! You must be new here!

    12. Re:RIM by Anonymous Coward · · Score: 0
      Oh! You thought the the OP meant U of Waterloo!

      Not Waterloo... Winnipeg!!

      (Canadians'll get it)

    13. Re:RIM by 99BottlesOfBeerInMyF · · Score: 3, Insightful

      The fact that they made a small design mistake isn't really that surprising. These things happen all the time.

      I'm not sure you can write this off as a small design mistake. This seems to me more like a fundamental design flaw based on a series of bad choices. They want you to run a Windows based server, outside your firewall, running a number of services, with security data stored unencrypted, and full privileges to the corporate e-mail server. That sounds like someone's friend or nephew was running the server project and either would not listen to advice that things should be done right, rather than quickly, or simply was unable to hire competent personnel. This is why companies making products like these should have a security team outside each project's chain of command, and why that team should be listened to. Now, who will trust them to do the right thing next time. What security conscious company will consider them as a solution provider?

    14. Re:RIM by incast · · Score: 1

      Hey.. at least my UID starts with a 1 :)

      Anyway.. I actually asked that question to folks in the tech side.. and their entire reasoning is that in 1999 (and arguably right now), the majority of their install base was running either Exchange or Notes as their email platform.. thus, in original design, they considered tight interoperability as critical to BB's success. That and MAPI allows pretty tight integration between Exchange and the BlackBerry Enterprise Server. (With BES 4.0 they added groupwise to this to support a larger base of government clients.)

      BB started in the late 90s and their initial target was the Fortune 500 companies.. so essentially the BES as a product and the BlackBerry architecture as the solution are the result of the backrooms of the Fortune 500 companies of the day. This interoperability made initial TCO for BlackBerry very low (think thousands instead of tens of thousands) and thus made ROI figures very high.

      I can't speak about the security implications of this because I just don't know enough about the security environment. RIM used to sell its security on three things: 1) Total AES (then 3DES) encryption from end to end, 2) Everything is behind the firewall (which I surmise is where the problem is here) and 3) FIPS certification. Feel free to offshoot from there.

    15. Re:RIM by Beryllium+Sphere(tm) · · Score: 1

      I'm a security consultant and a CISSP.

      That was not a small mistake. It was a series of mistakes, some of which fell short of best practice and some of which fell short of standard practice.

      In fact I'll use this case as an example to explain to clients why it's imperative not to store sensitive information in plaintext on an exposed server.

    16. Re:RIM by apparently · · Score: 1

      They want you to run a Windows based server, outside your firewall,

      The BlackBerry Enterprise Server does not, by any means, run outside the firewall.

    17. Re:RIM by Anonymous Coward · · Score: 0

      You claim of highly skilled and technical people may be true but when they do exist, it is only at extreme higher levels of the support structure. Our BB guy is on the phone with our carrier and RIM troubleshooting our users BB issues all the time and the first 3 or 4 levels of support are completely useless and you MUST work your way up the support ladder. It takes until at least a level 3 person that you get past the "remove the battery and restart the handheld", "reregister with the wireless network and try again" or "try another sim/handheld". This gets insane when you are forced to travel this path several times a day. Luckily I do not get directly involved in the process until the BES or our mail system is involved and RIM support seems decent at that point.

    18. Re:RIM by incast · · Score: 1

      I'll agree with you there -- my experience with the entire TSupport program was that it wasn't very good. The fact is that they want you to pay to get elevated automatically... not necessarily a good customer service practice.

    19. Re:RIM by cduffy · · Score: 1
      Interesting because UofW has an amazing Computer Science program, is reknown for the quality of the co-op students that they send out, and is one of the largest sources for technology labour in Canada.
      The University of Texas is likewise renowned for its computer science program -- but as a programmer working in Austin (and thus frequently alongside UT graduates), I've only met one who's really impressed me.

      CSU Chico, where I attended, had a strong claim to have one of the best computer science programs in California -- and some of the professors were very good -- but the grad students by and large left me unimpressed there as well.

      All I can conclude is that graduating from a university, even a well-reputed one, does not imply strong real-world skills.

    20. Re:RIM by cduffy · · Score: 1
      No one should be able to get a job until they've had a job. That'll fix everything.
      It's not hiring newbs at all that's the problem -- it's hiring too many of them, and expecting them to be actually useful without an extended training and mentoring period. There are a few who can do that -- but even then, mentoring and simple experience is absolutely essential.

      Bringing in a bit of new blood now and again is a good thing. Having a workforce devoid of practical experience is a recipe for disaster.

  10. READ! by temojen · · Score: 3, Interesting

    It's a corrupt PNG (a common image file type), that may pass code to the server to be run there (as administrator), with complete access to the corporate network, including all the plain-text, non-passphrase-protected private keys of all blackberry users on the same corporate network.

    If true, this is a gaping hole, and a very big deal.

    1. Re:READ! by garylian · · Score: 2, Informative

      Yeah, my wife works for Mercedes, and they are telling ALL users to not open any email with any type of graphics attachment on it, not just the .tiff and .png stuff.

      It is a pretty darn huge security hole, and one that shouldn't impact the home user (at least not yet) in any major fashion.

      Then again, it is probably wishful thinking that Blackberry users are more technically knowledgeable than the average home user, and wouldn't open dumb emails from unsolicited sources.

    2. Re:READ! by Zro+Point+Two · · Score: 1
      No, it's a specially crafted TIFF attachment. If you read either the knowledge base article that is linked in the /. story or the US-CERT advisory (VU#570768) you can see that it's a TIFF attachment.

      Second, it will not allow remote code execution or to take over the server, it stops the attachment service (Again, from reading the US-CERT advisory). It is classed as a DoS attack...as in Denial of Service....as in stopping the ability to use that service. This is not a remote code execution CERT advisory.

      From the CERT advisory...

      "could allow an attacker supplying a specially crafted TIFF file to cause the service to stop functioning."


      Just because the author of a Blog (even if it is from a newspaper) says something, it does not mean that he has all the facts, or has the facts straight. You'll also notice that the author of the article "was left wondering" about code execution.

      The author then paraphrased Lindner about taking over the computer and not actually quoting the person.

      When Lindner's slides are released, and/or someone who was actually at the event and can say first hand what all Lindner found and proved, then it really is speculation as to if this is a small DoS attack or a huge gaping hole that everyone is claiming because they jump to conclusions. And I'm not talking about the encryption keys being stored in plain text, I'm talking only about the TIFF image issue.

      --
      Zro . two

      "I come from Canada...they say I'm slow....eh?"
    3. Re:READ! by ejhuff · · Score: 2, Informative
      From TFA:
      Lindner said the real problem -- a vulnerability in the way Blackberry servers handle portable network graphics (PNG) images, was not disclosed by either RIM or the US-CERT advisory.

      From the top of the CERT advisory:

      By causing the service to render a specially crafted TIFF file, an attacker could execute arbitrary code or cause a denial of service.
      Should an exploit be developed, this arbitrary code would run inside the corporate firewall on a windows system, possibly with administrator privileges, and possibly with access to the SQL server containing the encryption keys.

      From the advisory:

      To disable the image attachment distiller 1. On the desktop, click Start > Programs > BlackBerry Enterprise Server > BlackBerry Enterprise Server Configuration. 2. On the Attachment Server tab, select Attachment Server from the Configuration Option drop-down list. 3. In the Distiller Settings section of the window, clear the Enabled check box for Image Attachments. 4. Click Apply, then click OK. 5. In Microsoft Windows® Administrative Tools, double-click Services. 6. Right-click BlackBerry Attachment Service, then click Stop. 7. Right-click BlackBerry Attachment Service, then click Start. 8. Close the Services window.
      Note that they disable all image attachments, not just all TIFF attachments, although they do claim they only need to disable TIFF.

      In summary, the CERT advisory says it might be possible to execute arbitrary code on the server. The Blackberry advisory recommends disabling all image attachment processing on the server. No one has proved that an exploit exists to take advantage of this, but how can you know there isn't an exploit. In cases like this, the burden of proof lies with the one who claims it's safe to continue processing image attachments. Maybe there isn't a serious problem. Would you leave the attachment service running with without disabling the image attachments?

    4. Re:READ! by Zro+Point+Two · · Score: 1

      I do apologize, I did miss that part in the CERT about running arbitrary code.

      However, in the advisory they said to disable all images because someone could possibly rename a TIFF to use another file extension.

      And in TFA (as you put it) that is still paraphrasing Lindner. That article is the only place that mentions PNG files. Everything else only mentions TIFF files. It could be possible that the author misheard or mistakenly mentioned PNG's, and it could be that all PNG files will cause this but no one else has mentioned it. I just have a hard time taking the word of a non tech journalist as defacto.

      I'm not saying that this may not be something serious, but to see everyone getting all up in arms because one journalist said it's all PNG files is just rediculous in my opinion. At least until there is more released from Lindner and I can actually see it for myself.

      --
      Zro . two

      "I come from Canada...they say I'm slow....eh?"
  11. RIMjob by digitaldc · · Score: 3, Funny

    when I know they are hiring newbs from U of W that don't know their ass from a hole in the ground, this sort of thing is not a surprise to me!

    Apparently they don't know their ass from a hole in the security, either.

    --
    He who knows best knows how little he knows. - Thomas Jefferson
  12. Job at rim? by The_Rippa · · Score: 5, Funny

    Who in their right mind would store that info unencrypted? It must be pretty easy these days to get a rim job.

    1. Re:Job at rim? by Anonymous Coward · · Score: 0

      In Soviet Russia, jobs rim you. Which is easier though - getting a job in Russia or, like you say, getting a rim job??

    2. Re:Job at rim? by Anonymous Coward · · Score: 0

      Hahaha, yes yes indeed - these days it is rather easy to get a rim job.

      Lick away! haha

  13. So the real question is by Tiber · · Score: 1

    Will I be able to flash between 1.5 and 2.0 as much as I want?

    Does Norton see this as Brick.Trojan?

    Oops, that was the OTHER MegaCorp's product... Sorry, carry on.

  14. administrate? by Anonymous Coward · · Score: 0

    So, you enjoy security through obscurity via your 1337 n1nj4 'administrate' tricks, whereas the unwashed masses are forced to 'administer' their hardware, and, therefore, be compromised.
    U R t3h m4n!

    1. Re:administrate? by Anonymous Coward · · Score: 0

      Learn to speak.

      I administer beatings.

      I administrate boxen.

      Does that make things clearer?

    2. Re:administrate? by kfg · · Score: 1

      I administer beatings.

      You really should stop that you know? Moral is already as high as it's going to get.

      KFG

    3. Re:administrate? by Anonymous Coward · · Score: 0

      And do you conversate with the boxen while you administrate them, Manglish Speaker?

    4. Re:administrate? by Anonymous Coward · · Score: 0

      Maybe you should administer that beating to yourself.

      From http://englishplus.com/grammar/00000172.htm

      Administer is the verb form for administration or administrator.

      The word administrate is an incorrect form of the verb created by some who drop the -ion suffix of administration.

              Incorrect: He did a great job of administrating the estate.

              Correct: He did a great job of administering the estate.

      Be careful when forming verbs from nouns that end in -ation, as the correct verb form may not end in -ate.

    5. Re:administrate? by Anonymous Coward · · Score: 0

      administrate

      Pronunciation: -"strAt
      Function: verb
      Inflected Form(s): -trated; -trating
      Etymology: Latin administratus, past participle of administrare
      : ADMINISTER

      kthxbye

  15. Hey mods, it was obviously intended to be funny by Anonymous Coward · · Score: 0

    What about the parent post indicates that it was intended to be taken seriously?

    1. Re:Hey mods, it was obviously intended to be funny by Anonymous Coward · · Score: 0

      quote: *watches the karma drop*

  16. Black-and-blue-berry by Billosaur · · Score: 5, Interesting
    Lindner found that by convincing a Blackberry user to click on a special image attachment, that handheld device could be made to pass on malicious code to the Blackberry server...

    I would like to try and convince most people with a Blackberry to see if they could use it as a suppository, but I digress...

    From the Washington Post: RIM didn't mention anything about the flaw allowing attackers to download and execute programs on the targeted device, but I'm left wondering whether they escalated this because of just such a threat.

    I really don't think RIM is going to shout this from the rooftops. If the exploit is as bad as is disclosed, there's some serious trouble brewing that makes the brouhaha with NTP look like a cakewalk.

    From the Washington Post: Lindner said he started looking into Blackberry's proprietary communications protocols because the Blackberry server requires an unusual level of access inside of a corporate network: the server must be run inside a company's network firewall and on a Windows machine that is granted full and direct administrative access to the customer's internal e-mail server.

    And RIM thought this was a good idea because...? It's like building a 50-ft high wall around the castle, then creating a hole for an 8-lane superhighway to pass through. Imagine the enterprising and inventive hacker that can plant a zombie process on that machine. Talk about spam! Imagine if a Fortune 500 company starts getting nipped because their email servers are dumping spam on the unsuspecting public. Lawsuits for everyone!!

    --
    GetOuttaMySpace - The Anti-Social Network
  17. PATENT INFRINGEMENT! by SmurfButcher+Bob · · Score: 2, Funny

    Yep, sorry guys... this flaw is patented. Pay up!

    Heh, I wasn't actually going to post that, but I had a thought... if we patented the dumbest mistakes out there (buffer overflows, etc)... what company would want to prove "prior art" ?

    --

    help me i've cloned myself and can't remember which one I am

    1. Re:PATENT INFRINGEMENT! by Anonymous Coward · · Score: 0

      Suppose one of your blackberry users accidentally sent a malformed XML document by mail where the whole doc was in the Subject: field. Has anybody got any idea what would happen and why? I think we should be told.

  18. waiting for bush by Amouth · · Score: 0, Flamebait

    Waiting for bush to help them label this as a feture so that they can spy on the spys

    --
    '...if only "Jumping to a Conclusion" was an event in the Olympics.'
  19. I see the issue with MS SQL, but... by GWSuperfan · · Score: 1

    How would someone exploit the password issues on a GroupWise or LotusNotes- based BES install? Maybe I should be glad that RIM hasn't actually managed to come up with a backend-independent version (say, something that speaks IMAP or POP3), which would result in more servers being vulnerable.

    Also- given some of the other flaws that I've discovered with BlackBerries (which is not to say that I'm not an addict), something like this is not wholly unexpected. I mean, they haven't yet managed to make the timestamps on messages sent from handhelds actually conform to the relevant RFC (2822), and I've had an open trouble ticket with RIM on that issue for the better part of a year.

    --
    Fight psychopharmacological mccarthyism. http://www.norml.org/
    1. Re:I see the issue with MS SQL, but... by ohwell · · Score: 1

      when you upgrade to 4.0 it forces you to use sql2000! there is no nsf option anymore!

    2. Re:I see the issue with MS SQL, but... by ACMENEWSLLC · · Score: 1

      Umm -- Our Blackberrys speak to a backend independent POP3 server. While in our case it happens to be 3rd party back end POP3 servers and not our own, this already exists.

      However that is built into the Blackberry itself and requires no backend interface.

      Their sales guy told management POP3 was HIPAA compliant and that all communications to the POP3 servers was SSL encrypted. When I was tasked with making this work and asked them where I configure POP3s such as port number and SSL certificate, they said they only support POP3 not POP3s. Seems their sales guys and their technical support are not on the same page.

  20. Sounds like SQL Injection? by WoTG · · Score: 2, Interesting

    With the scant details provided, it sounds almost like an SQL Injection vulnerability. It doesn't sound like a problem with SQL Server directly, or else it wouldn't be a RIM specific problem.

    Anyway, can't administrators just filter all image attachments out through their AV or other software for the time being?

    1. Re:Sounds like SQL Injection? by ArsenneLupin · · Score: 1
      It doesn't sound like a problem with SQL Server directly, or else it wouldn't be a RIM specific problem.

      Then why is it that in 99% of the cases, whenever SQL injection is involved, SQL server is too? Must be really bad luck on Microsoft's part, I guess :-)

    2. Re:Sounds like SQL Injection? by cduffy · · Score: 4, Insightful

      SQL injection flaws are related to how well the application using the database is written, not the database itself. Any database-backed application can have SQL injection flaws, no matter what the underlying database, so long as the application is written by an idiot.

      Listen, kids: NEVER, NEVER, NEVER pass user-provided values into your SQL queries as strings. There's a reason every database access API in existance allows positional or named parameters to be passed outside the parser, and it's not just performance.

      And if I sound a little grumpy on this topic -- like maybe I'd recently worked with a developer lacking just this sort of clue... well, maybe you'd be interpreting my tone correctly.

    3. Re:Sounds like SQL Injection? by Builder · · Score: 1

      Does PHP have a way to do placeholders? I always use them with Perl DBI, but never found a working solution for PHP in the brief time I looked at it.

    4. Re:Sounds like SQL Injection? by aiken_d · · Score: 1

      Can we mod the parent up to 11, please?

      No matter what clever escaping you do, there is no excuse for building sql queries using user input to make a string. Bad, bad, bad idea. Bad for security, bad for encoding problems, bad for performance, bad for readability, bad for reusability, bad for baby jesus.

      Don't do it. Ever.

      -b

      --
      If I wanted a sig I would have filled in that stupid box.
    5. Re:Sounds like SQL Injection? by cduffy · · Score: 1

      Hmm -- you're right; PHP's database API appears not to have that support.

      Maybe I should have said "every competant database access API in existance".

  21. foibles by Quasar+Sera · · Score: 1

    I wonder when they'll getting around to fixing that pesky security flaw in users which causes them compulsively to click on things.

  22. Scary. by wilburpb · · Score: 1

    Without excusing the security hole, is it really that surprising that the emails are stored as "plain, unencrypted text"? I would think that encrypting e-mails on a mail server of that size would be the exception rather than the norm. Anyone know if Exchange is encrypted?

    1. Re:Scary. by McGiraf · · Score: 1

      sendmail and exim do not encrypt the mail storage neither, they were talking about unencrypted passwords in the database.

  23. More info here... by fak3r · · Score: 1

    I had an article here about it, looking for anyone who has a blackberry to discuss:

    Blackberry handhelds/servers vulnerable to attack

    I had no idea the server backend was so...crummy. Why do geeks running FreeBSD at home have their passwords encrypted within MySQL, but big companies with million dollar products don't?

    --
    fak3r.com
    1. Re:More info here... by blincoln · · Score: 2, Informative

      I had no idea the server backend was so...crummy. Why do geeks running FreeBSD at home have their passwords encrypted within MySQL, but big companies with million dollar products don't?

      The entire server backend is like that. Some of the more amusing examples:

      - When it starts, it has a fixed number of threads it can use to talk to the Exchange server. Let's say it's 1000. If a thread is killed off, e.g. because it timed out, it is not returned to the pool. So over the course of a week or so, you run out of threads and the app will no longer do anything. Consequently, we now reboot the server every night.

      - If you have Outlook installed on the Blackberry server, it breaks the Blackberry server software, because it will only work with a very specific nonstandard version of the MAPI DLL.

      - 50% of the time when you call their support line, the answer to your question mysteriously turns out to be that your server is under too heavy of a load and you need to buy another server license. Even if the server is working fine for all but one user, or if it was working fine for everyone until you switched license keys.

      Basically the entire thing is a giant Rube Goldberg contraption. The handhelds are decent for what they do, but not spectacular.

      --
      "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
    2. Re:More info here... by fak3r · · Score: 1

      Amazing, thanks for the info, again, I have friends that use Blackberrys for work and love them, but damnit I can't believe the backend is that crappy! Another company trying to pry more money via handicapped proprietary software. Wonder if there are any open source projects working on a version of the blackberry server?

      --
      fak3r.com
    3. Re:More info here... by blincoln · · Score: 1

      Wonder if there are any open source projects working on a version of the blackberry server?

      I would think a better open source-type option would be to either use a handheld that has some kind of X Window client for mail on a remote server (if you want it in realtime), or a regular mail client that syncs up its local copy of the inbox every once in awhile.

      Honestly, there's no legitimate reason I can think of for the Blackberries to work the way they do, with mail passing through RIM between your mail server and the handhelds, other than RIM wanting to ensure that its customers keep paying for support.

      --
      "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
  24. Microshit Sequel Sewer? by ArsenneLupin · · Score: 1

    Wouldn't it be easier to send the victims a goatse image directly, rather that try to SQL-rape that poor Sequel server?

  25. haha - buncha keyboard commandos up in here by Anonymous Coward · · Score: 0

    with absolutely NO idea what they're talking about.

    ha.

    ha.

  26. wow by DeathByDuke · · Score: 0

    theres more RIMs in this thread than a goatse site

  27. Why would you have to convince someone else? by JamaisVu · · Score: 1

    What does he mean by convince a user to click on a special image. What if _I_ wanted to attach a RIM server and I had access to a Blackberry?! WTF? Why not describe a butterfly sneezing in China as a part of the attack?

    --
    "When the solution is simple, God is answering." -- Albert Einstein