BlackBerry Desktop Software Lotus Notes Intellisync Vulnerability

Number: AV09-043
Date: 5 November 2009

Purpose

The purpose of this advisory is to bring attention to a BlackBerry Desktop Software vulnerability in version 5.0 and earlier.

Assessment

A vulnerability has been identified in BlackBerry Desktop Software, which could be exploited by remote attackers to compromise an affected system. This issue is caused by a buffer overflow error in the Lotus Notes Intellisync ActiveX control when processing user-supplied data, which could be exploited by remote attackers to execute arbitrary code by tricking a user into visiting a specially crafted web page.

Rated as: Critical
Remotely Exploitable: Yes
Locally Exploitable: Yes

The vendor has released updates.

Suggested action

CCIRC recommends that administrators test and deploy the following updates according to their Release Management practices, as appropriate, at the earliest opportunity.

Upgrade to BlackBerry Desktop Software version 5.0.1 or later:
https://www.blackberry.com/Downloads/entry.do?code=A8BAA56554F96369AB93E4F3BB068C22

References:

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca