BlackBerry smartphone users with the Research In Motion (RIM) BlackBerry Desktop Manager software installed on Windows PCs, or Mac-based Windows virtual machines, should update the Desktop Manager software immediately, according to RIM.
Any and all BlackBerry Desktop Manager versions prior to v5.0.1 contain a security flaw that could allow malicious parties to remotely execute code on unsuspecting users' computers, RIM says.
From a RIM security advisory posted yesterday:
"If the malicious user performs an attack designed to decieve [sic] the legitimate user into clicking a link to a website that appears to be from a trusted source, and the legitimate user chooses to access that site from the computer that is running the BlackBerry Desktop Manager, the user might be deceived into browsing to a web page that the malicious user has designed to perform remote code execution using the legitimate user's privileges on the computer.
The BlackBerry Desktop Manager does not need to be running for a malicious user to exploit this vulnerability."
The vulnerability is a critical one with a Common Vulnerability Scoring System (CVSS) rating of 9.3 out of 10, according to RIM.
The specific problem component within Desktop Manager is the Lotus Notes Intellisync DLL, which RIM says is included by default in all BlackBerry Desktop Manager installations. And the flaw can reportedly be exploited whether or not the DLL is used after installation.
RIM has already released a software update to address the vulnerability, and users could receive automatic Desktop Manager notifications regarding the security fix, depending on which version of the software they employ. If you have not received an automatic update, or you chose not to update immediately, you should download and install the latest version of BlackBerry Desktop Manager from RIM's website.
RIM also listed the following workaround:
"You can disable the Lotus Notes Intellisync functionality by unregistering the Intellisync component DLL, lnresobject.dll. Disabling the functionality prevents a malicious user from exploiting the vulnerability.
To unregister the DLL on the computer running the BlackBerry Desktop Manager, at a command line enter the command: regsvr32 /u "C:\Program Files\Research In Motion\BlackBerry\IS71 Connectors\Lotus Notes5.0\lnsresobject.dll"
The Macintosh version of RIM's BlackBerry Desktop Software does not appear to contain the flaw.
Additional information on BlackBerry security can be located on RIM's website.