Updating the Microsoft GDI component that BlackBerry products use

Article ID: KB15506

Type:   Security Advisory

First Published: 04-28-08

Last Modified: 09-02-2010

 

Product(s) Affected:

  • BlackBerry Enterprise Server for Novell GroupWise
  • BlackBerry Enterprise Server for Microsoft Exchange
  • BlackBerry Media Sync
  • BlackBerry Enterprise Server for IBM Lotus Domino
Collapse Products
ExpandAffected Software
  • BlackBerry® Enterprise Server software version 4.0 Service Pack 3 (4.0.3) or later
  • BlackBerry® Professional Software 4.1 Service Pack 4 (4.1.4) or later
  • Windows® 2000 Service Pack 4, or any release of Windows® XP, Windows Server® 2003, Windows Vista™, or Windows Server® 2008
  • BlackBerry® Media Sync
ExpandAre BlackBerry smartphones and the BlackBerry Device Software affected?
No.
CollapseIssue Severity

The issue severity is indicated in the Microsoft bulletins referenced below.

CollapseOverview

This advisory describes security issues that BlackBerry products (the BlackBerry Attachment Service component of the BlackBerry Enterprise Server and BlackBerry Media Sync) might be exposed to. The issues relate to known vulnerabilities related to how the Graphics Device Interface (GDI) component of Microsoft Windows® processes Windows Metafile (WMF) and Enhanced Metafile (EMF) images.

  • The BlackBerry Attachment Service in BlackBerry Enterprise Server software version 4.0 SP3 or later and BlackBerry Professional Software version 4.1 SP4 or later uses the GDI component to convert images to a viewable format on the BlackBerry smartphone.
  • The BlackBerry Media Sync product can be used to synchronize files hosted on the computer running BlackBerry Media Sync to the BlackBerry smartphone.
ExpandWho should read this advisory?
  • BlackBerry Enterprise Server administrators
ExpandWho should apply the software fix(es)?
  • BlackBerry Enterprise Server administrators
CollapseProblem

These vulnerabilities expose the BlackBerry Attachment Service and the BlackBerry Desktop Manager to attacks that could allow a malicious user to cause arbitrary code to run on the computer on which the BlackBerry Attachment Service or the BlackBerry Desktop Manager is running.

  • If a BlackBerry smartphone user is on the BlackBerry Enterprise Server or BlackBerry Professional Software with that BlackBerry Attachment Service running, and the user tries to use the BlackBerry smartphone to open and view a WMF or EMF image attachment in a received email message sent by a user with malicious intent, the computer on which the BlackBerry Attachment Service is running could be compromised.
  • If the BlackBerry smartphone user uses BlackBerry Media Sync to synchronize an image created by a user with malicious intent, the computer on which BlackBerry Media Sync is running could be compromised .
CollapseResolution

To resolve the issues, update the GDI component on the computer running the affected BlackBerry product.

The update from Microsoft is available through Microsoft Update, Windows Update, or Office Update, or from the Microsoft Download Center. For more information, visit the Microsoft security bulletins listed previously.

CollapseAdditional Information

Network Segmentation

In a BlackBerry Enterprise Server environment, you can install the BlackBerry Attachment Service on a remote computer and then place that computer on its own network segment to prevent the spread of potential attacks from the BlackBerry Attachment Service to another computer within your organization's network. In a segmented network, attacks are isolated and contained on a single area of the network. Using segmented network architecture is designed to improve the security and performance of the BlackBerry Attachment Service network segment by filtering out attachment data that is not destined for other network segments. For more information about placing the BlackBerry Enterprise Solution components in a network architecture that is segmented to prevent the spread of potential malware attacks, see Placing the BlackBerry Enterprise Solution in a Segmented Network.
 

BlackBerry Security

 
Visit www.blackberry.com/security for more information on BlackBerry security.
CollapseChange Log

09-02-10

Updates to article formatting. No technical content changed.

11-03-09

Article updated to include details of the impact of the same vulnerability and resolution on the BlackBerry Media Sync product.

10-20-09

Article updated to link to the latest advisory and software updates from Microsoft for critical security vulnerabilities related to the GDI component. For further details, see the Overview and Resolution sections.

03-18-09

Article updated to link to the latest advisory and software updates from Microsoft for critical security vulnerabilities related to the GDI component. For further details, see the Overview and Resolution sections.

12-10-08

Article updated to link to the latest advisory and software updates from Microsoft for critical security vulnerabilities related to the GDI component. For further details, see the Overview and Resolution sections.

09-22-08

Article updated to link to the latest advisory and software updates from Microsoft for critical security vulnerabilities related to the GDI component. For further details, see the Overview and Resolution sections.

Disclaimer

By downloading, accessing or otherwise using the Knowledge Base documents you agree:

   (a) that the terms of use for the documents found at www.blackberry.com/legal/knowledgebase apply to your use or reference to these documents; and

   (b) not to copy, distribute, disclose or reproduce, in full or in part any of the documents without the express written consent of RIM.


Visit the BlackBerry Technical Solution Center at www.blackberry.com/btsc.