- BlackBerry® device
- BlackBerry® Device Software 3.7 Service Pack 1
- BlackBerry® Enterprise Server
- IBM® Lotus® Domino®
- Microsoft® Exchange
A HexView advisory (ID number HEXVIEW*2004*10*12*1) published on 12 October 2004 and a subsequent updated advisory updated advisory (ID number HEXVIEW*2004*10*14*1) published on 14 October 2004 identified an issue in BlackBerry Device Software 3.7 Service Pack 1 that is known to Research In Motion (RIM) and has been corrected in BlackBerry Device Software 3.8 and later.
The HexView advisory correctly identifies a scenario that can be manufactured to cause a BlackBerry device to reset, but RIM believes that the advisory contains several incorrect conclusions. While exploiting the software issue may cause a BlackBerry device to reset, it does not constitute a buffer overflow or data loss vulnerability. To date, RIM has not received any customer reports of this issue being exploited in practice.
HexView published a brief advisory on 12 October 2004. HexView's policy at that time was not to contact vendors in advance unless a vendor had a prior agreement with HexView. RIM was not notified in advance and was not able to provide any feedback to HexView prior to the publication of the advisory. RIM has since contacted HexView and HexView was helpful in assisting RIM with this issue.
The advisory states the issue can be created by sending a Microsoft Outlook® meeting request with a large string (over 128 KB) in the Location field. It is important to note that Microsoft Outlook limits the size of the Location field to 255 characters, or bytes, so a large Location field cannot be normally or inadvertently created. Despite this restriction, RIM has replicated the issue defined by HexView on BlackBerry devices running BlackBerry Device Software 3.7 Service Pack 1 and confirmed that a BlackBerry device reset may occur. However, RIM believes the following conclusions in HexView's advisory are incorrect:
- A buffer overflow and stack corruption occur.
- Stored messages and BlackBerry device user data are lost. (These are stored in non-volatile Flash memory, not in RAM.)
- Malicious code can be embedded and executed on the BlackBerry device.
Note: The Watchdog Timer also causes the BlackBerry device to reset.
Install BlackBerry Device Software 3.8 or later.
RIM has implemented further safeguards at the BlackBerry Enterprise Server level with the release of the following BlackBerry products:
- BlackBerry Enterprise Server software version 4.0
- BlackBerry Enterprise Server software version 3.6 Service Pack 4 Hot Fix 1 for Microsoft Exchange
- BlackBerry Enterprise Server software version 2.2 Service Pack 4 Hot Fix 1 for IBM Lotus Domino
These safety measures will prevent artificially large or problematic meeting requests from being delivered to the BlackBerry device. This eliminates the need for BlackBerry Device Software to be upgraded to version 3.8 or later.
For more information on BlackBerry security, refer to the following documents:
- BlackBerry Enterprise Solution Security Version 4.0.x: Technical Overview
- BlackBerry Security for IBM Lotus Domino
- BlackBerry Security for Microsoft Exchange
- Application Security for Java-based BlackBerry Handhelds
Visit www.blackberry.com/security for more information on BlackBerry security.
Updates to article formatting. No technical content changed.
By downloading, accessing or otherwise using the Knowledge Base documents you agree:
(b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.
Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.