Security Vulnerability In BlackBerry Desktop Manager Versions 5.0 And Earlier – Resolution And Workaround Available
Posted by Mauricio on Nov 4, 2009 at 2:21 PM | Comments

RIM has posted a security advisory (KB19701) that all BlackBerry Desktop Manager versions earlier than version 5.0 contain a vulnerability that would allow a malicious user to remotely execute code on your computer:
This advisory relates to a vulnerability in a Lotus Notes Intellisync DLL that the BlackBerry Desktop Manager may use. This vulnerability may allow a malicious user to perform an attack that leverages social engineering to achieve remote code execution on the computer running the BlackBerry Desktop Manager. If the legitimate (logged in) user clicks a link to a malicious web site (for example, in an email message, in a browser, or an instant message) on the computer that is running the BlackBerry Desktop Manager, a vulnerability in an Intellisync component could allow the malicious user who sent the link or created the malicious web site to execute code on the computer using the privileges of the legitimate user.
Note: The affected Lotus Notes Intellisync DLL is included by default in all BlackBerry Desktop Manager installations. This vulnerability exists whether or not the DLL is used after installation.
Issue Severity: This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.3.
Issue Status: Vulnerability confirmed. For more information, see the Resolution section.
To avoid becoming a victim of a malicious user RIM is recommending everyone update their BlackBerry Desktop Manager immediately to at least version 5.0.1. To download this update visit the BlackBerry Software Downloads page and select appropriate version in the drop-down menu. RIM has also issued the following workaround:
You can disable the Lotus Notes Intellisync functionality by unregistering the Intellisync component DLL, lnresobject.dll. Disabling the functionality prevents a malicious user from exploiting the vulnerability.
To unregister the DLL on the computer running the BlackBerry Desktop Manager, at a command line enter the command: regsvr32 /u “C:\Program Files\Research In Motion\BlackBerry\IS71 Connectors\Lotus Notes5.0\lnresobject.dll”
via KB19701













