Risk: Medium
Research In Motion, the Canadian company that makes the devices, is playing down the threat, saying that, "a corrupt Tagged Image File Format (TIFF) file sent to a user may stop a user’s ability to view attachments. There is no impact on any other services (for example, sending and receiving messages, making phone calls, browsing the Internet, and running handheld applications to access a corporate network)."
Felix Lindner from researcher Phenoelit, who discovered the flaw, said that the real problem is a vulnerability in the way that BlackBerry servers handle portable network graphics (PNG) images. Lindner said that the flaw was not disclosed by either RIM or the US-CERT advisory, which he suspects is because the PNG flaw is present not in the newest version of Blackberry server but in all versions from 4.0 to 4.0.1.9.
Lindner found that by convincing a BlackBerry user to click on a special image attachment, that device could be forced to pass on malicious code to the BlackBerry server, which could then be taken over and used to intercept emails or as a staging point for other attacks within the network.
Research in Motion Ltd, said it is a previously reported issue, "that has been escalated internally to our development team. No resolution time frame is currently available."