{"vuid":"VU#289235","idnumber":"289235","name":"BlackBerry Attachment Service PDF distiller vulnerable to arbitrary code execution","keywords":["BlackBerry","Enterprise Server","Attachment Service","PDF distiller","arbitrary code execution"],"overview":"The PDF Distiller service that is provided with BlackBerry Enterprise Server contains a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.","clean_desc":"The BlackBerry Attachment Service is a component of the BlackBerry Enterprise Server (BES) and BlackBerry Unite!. The BlackBerry Attachment Service renders certain types of files sent as email attachments for display on BlackBerry Handhelds and other BlackBerry client devices. An unspecified vulnerability in the PDF distiller component of the BlackBerry Attachment Service may allow arbitrary code execution on the system that runs the vulnerable service.","impact":"By convincing a user to open a specially-crafted PDF attachment on a BlackBerry smartphone, a remote, unauthenticated attacker may be able to execute arbitrary code on the system that runs the BlackBerry Attachment Service.","resolution":"Apply an update\nThis issue is addressed in BlackBerry Enterprise Server 4.1 Service Pack 6 (4.1.6). Please see BlackBerry document KB15766 for more details. This issue is also addressed in BlackBerry Unite! 1.0 Service Pack 1 (1.0.1) bundle 36. Please see BlackBerry document KB15770 for more details.","workarounds":"Prevent the BlackBerry Attachment Service from processing PDF files BlackBerry document KB15766 and KB15770 outline several ways of preventing the BlackBerry Enterprise Server and BlackBerry Unite! from processing PDF files, which can help mitigate this vulnerability.","sysaffected":"","thanks":"This issue was reported by Research In Motion.","author":"This document was written by Will Dormann.","public":["http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB15766","http://www.blackberry.com/btsc/articles/660/KB15766_f.SAL_Public.html","http://www.blackberry.com/btsc/articles/635/KB15770_f.SAL_Public.html","http://secunia.com/advisories/31092/","http://secunia.com/advisories/31141/"],"cveids":[""],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2008-07-16T15:21:51Z","publicdate":"2008-07-17T00:00:00Z","datefirstpublished":"2008-07-18T14:07:58Z","dateupdated":"2008-07-18T14:08:15Z","revision":8,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"18","cam_population":"16","cam_impact":"18","cam_easeofexploitation":"6","cam_attackeraccessrequired":"19","cam_scorecurrent":"20.3148","cam_scorecurrentwidelyknown":"23.3928","cam_scorecurrentwidelyknownexploited":"35.7048","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":20.3148,"vulnote":null}