Privacy and Legal Notice
TECHNICAL BULLETIN
T-265: BlackBerry Desktop Manager ActiveX Control Remote Code Execution Vulnerability
[CVE-2009-0306]
November 4, 2009 15:00 GMT
|
| PROBLEM: |
BlackBerry Desktop Manager is prone to a remote code-execution
vulnerability. This issue occurs in Lotus Notes Intellisync ActiveX
control provided by 'Inresobject.dll'. |
| PLATFORM: |
BlackBerry Desktop Software version 5.0 and earlier (on all platforms)
|
| ABSTRACT: |
An attacker can exploit this issue to execute arbitrary code in the
context of the application using the ActiveX control (typically
Internet Explorer). Failed attacks will likely cause denial-of-service
conditions. |
|
| IMPACT ASSESSMENT: |
This risk is medium. A remote attacker could execute arbitrary code using privileges of the legitimate user. |
|
[***** Start CVE-2009-0306 *****]
Discussion:
This advisory relates to a vulnerability in a Lotus Notes Intellisync DLL that the BlackBerry Desktop Manager may use. This vulnerability may allow a malicious user to perform an attack that leverages social engineering to achieve remote code execution on the computer running the BlackBerry Desktop Manager. If the legitimate (logged in) user clicks a link to a malicious web site (for example, in an email message, in a browser, or an instant message) on the computer that is running the BlackBerry Desktop Manager, a vulnerability in an Intellisync component could allow the malicious user who sent the link or created the malicious web site to execute code on the computer using the privileges of the legitimate user.
If the malicious user performs an attack designed to decieve the legitimate user into clicking a link to a web site that appears to be from a trusted source, and the legitimate user chooses to access that site from the computer that is running the BlackBerry Desktop Manager, the user might be deceived into browsing to a web page that the malicious user has designed to perform remote code execution using the legitimate user's privileges on the computer.
The BlackBerry Desktop Manager does not need to be running for a malicious user to exploit this vulnerability.
Note: The affected Lotus Notes Intellisync DLL is included by default in all BlackBerry Desktop Manager installations. This vulnerability exists whether or not the DLL is used after installation.
Mitigations:
* If you do not require the Lotus Notes Intellisync function you can disable it to prevent a malicious user from exploiting the vulnerability. For more information, see the Workaround section.
* RIM recommends that users exercise caution when clicking on links that they receive from untrusted sources, and links to untrusted web sites in browsers.
Solution:
The vendor has issued a software update that resolves this issue in BlackBerry Desktop Software version 5.0.1 and later.
Upgrade the BlackBerry Desktop Software
Note: The minimum BlackBerry Desktop Software version you can install to resolve this issue is 5.0.1.
1. Visit BlackBerry Software Downloads. https://www.blackberry.com/Downloads/entry.do?code=A8BAA56554F96369AB93E4F3BB068C22
2. In the drop-down list, select BlackBerry Desktop Software v5.0.1 or later and click Next.
3. Choose a BlackBerry Desktop Manager bundle to download.
4. Complete the download process and follow the installation instructions to compete the upgrade process.
[***** End CVE-2009-0306 *****]
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH.
DOE-CIRC can be contacted at:
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov
UCRL-MI-119788