Thousands of BlackBerrys are exposing thousands of networks to hacking and hardly a soul in business knows about it. The problem is revealed on an official support page that rates the security hole 9 out of a possible 10 on the industry standard Common Vulnerability Scoring System. For years, Adobe Acrobat documents have been getting smarter. In this context, smart means the ability to run scripts that do clever things. But recent versions of BlackBerry Enterprise Server have allowed hackers to harness the smarts for their own purposes. A malicious Acrobat document viewed on a BlackBerry can open access to your office network.
Let's not panic. The vulnerability affects only BlackBerry Enterprise Server versions 4.1.3 to 4.1.5, and if you have updated to release 4.1.6 you're in the clear, this time. Of course, few users know what version of the server stands behind their handset. Ask the IT department if you want peace of mind.
Affected servers should be updated immediately, or patched with an interim security update available from blackberry.com, home of BlackBerry developer Research In Motion. If that's not possible, RIM recommends turning off the ability for users to open Acrobat PDF files.
Now that the first aid is in place, let's understand how the problem came about in the first place. It's a sobering lesson in the balancing act corporate techies have to perform.
Acrobat, as noted above, is a tricky character. You may think the PDF file you opened this morning is a harmless critter, but it can actually pack quite a punch. Every successive version of the software is better at processing form data, playing multimedia and other neat tricks. From time to time, techno-blackguards devise ways to make Acrobat files do things they shouldn't, like delete files or open up network doorways.
Enter the BlackBerry Enterprise Server (BES), a piece of corporate plumbing that connects Exchange Server to the Blackberry network. BES is the reason email, contacts and appointments flow between office networks and BlackBerry handsets. It also includes a component called BlackBerry Attachment Service that translates PDF files and other attachments so the handset can read them.
There are two problems with BES. First, millions of executives demand it. Their peers have real-time access to email and calendars and so must they. Second, BES normally lives on the internal office network. So a hacker who can compromise it gets a free ride into the inner sanctum.
If IT was asked to commission a document management server, or a file transfer server, or any other kind of server that connected the internal network to portable devices, they'd insist on a security audit. But BlackBerry is BlackBerry. Try telling a rampant chief executive or law partner that the service is unavailable until security is improved. So BES is often allowed to run with careless abandon.
When a malicious PDF file opens on an affected system, the original file back on the server can be compelled to run what they call arbitrary code. Translate that as almost any darn thing the author wants to do.
As far as your network knows, instructions from BES are commands from a trusted member of the team. If BES says to delete, most other computers on the network will delete.
If BES says email a file to an outside address, email they will.
The lesson is that every link from your internal strongbox to the world at large is a potential security breach. The price of portable email is eternal vigilance.
For BlackBerry, a good guide for that vigilance is an unclassified Defence Signals Directorate guide on setting up BES with Microsoft Exchange Server 5.5.
It anticipated the latest PDF security issue by recommending that the Attachment Service be installed on a separate computer isolated from the general network. That way, even when a malefactor works out a way to issue network instructions through a PDF vulnerability, the server is blind to the network.
The document also recommends a separate firewall between BES and Exchange Server, and restrictions on the hard drive files BES can access. For no good reason, a default BES installation allows it to view files in the root directory of the server. Best security practices demand that it's locked. In all, there are 27 pages of good advice
Peter Moon is a partner in Logie-Smith Lanyon Lawyers. firstname.lastname@example.org
Fairfax Busiiness Media
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.