View Single Post
Old 10-15-2004, 01:31 PM   #1 (permalink)
CrackBerry Addict
ScOObydoo's Avatar
Join Date: Aug 2004
Model: Curve
Carrier: tmo
Posts: 829
Post Thanks: 0
Thanked 0 Times in 0 Posts
Default [2004-10-15] RIM Refutes BlackBerry Buffer Overflow Claim

Please Login to Remove!

Call it a case of dueling, nuanced, advisories. Research in Motion (Quote, Chart) has challenged a risk advisory from security firm HexView that it put out this week about RIM's popular Blackberry handheld device, which prompted a new advisory from HexView.

The HexView advisory on Tuesday claimed that the RIM Blackberry could potentially suffer data loss and be at risk of a denial of service attack (define) as the result of a buffer overflow and other vulnerabilities. It also said the issue could "easily be reproduced" by sending a long string (over 128K) meeting request via Microsoft Outlook.

"The Blackberry reboots when it tries to notify the user," HexView's original advisory said. "No user action is required. It is possible to render Blackberry device completely useless by queuing a number of such messages into user's mailbox."

RIM took a look and then followed up with its own advisory.

RIM's analysis said any buffer overflow, stack corruption, data loss and malicious code penetration risk claimed in the HexView advisory are incorrect. "As of this time, Research In Motion has not received any customer reports of this issue being exploited in practice."

RIM did concede that part of HexView's advisory was correct, but that the bug only affects version 3.7 of its software and has already been corrected in BlackBerry handheld software version 3.8 and later.