The Web    Google
RIM Refutes BlackBerry Buffer Overflow Claim

RIM Refutes BlackBerry Buffer Overflow Claim
October 15, 2004

Call it a case of dueling, nuanced, advisories. Research in Motion (Quote, Chart) has challenged a risk advisory from security firm HexView that it put out this week about RIM's popular Blackberry handheld device, which prompted a new advisory from HexView.

The HexView advisory on Tuesday claimed that the RIM Blackberry could potentially suffer data loss and be at risk of a denial of service attack as the result of a buffer overflow and other vulnerabilities. It also said the issue could "easily be reproduced" by sending a long string (over 128K) meeting request via Microsoft Outlook.

"The Blackberry reboots when it tries to notify the user," HexView's original advisory said. "No user action is required. It is possible to render Blackberry device completely useless by queuing a number of such messages into user's mailbox."

RIM took a look and then followed up with its own advisory.

RIM's analysis said any buffer overflow, stack corruption, data loss and malicious code penetration risk claimed in the HexView advisory are incorrect. "As of this time, Research In Motion has not received any customer reports of this issue being exploited in practice."

RIM did concede that part of HexView's advisory was correct, but that the bug only affects version 3.7 of its software and has already been corrected in BlackBerry handheld software version 3.8 and later.

It was enough, however, for HexView to issue an advisory on its advisory. "There is no buffer overflow condition. Device reset is triggered by a watchdog timer that times out when a long message is being stored in flash memory," HexView said in its update, which changed the security advisory from "high" to "medium" in the process.

In its advisory, RIM continued, "HexView points out the issue can be created by sending a Microsoft Outlook meeting request message with a large string, over 128KB, in the Location field. It is important to note that Microsoft Outlook limits the size of the Location field to 255 characters, or bytes, so a large Location field cannot be normally or inadvertently created," RIM stated in its analysis." Still, RIM also said it replicated the issue defined by HexView on handhelds running handheld software version 3.7 Service Pack 1 software and confirmed a handheld reset can occur.

"The short answer is that there was a bug that could cause the device to reset, but it was fixed previously and there weren't any reported problems with customers and there weren't any security issues." RIM spokesperson Lauren Doherty told

  • E-mail security and your legal liability
  • 8/23: MhtRedir-S Trojan Exploits Flaw
  • Immunize Your Servers Against Attack
  • 9/8: IRCBot-G Trojan Opens Backdoor
  • Viruses Gearing up For The Smart Set
  • The Backup Conundrum: More Data in Less Time, Part 2
  • Navy Disciplines Midshipmen Pirates
  • 3/1: Bagle-BE Worm a 'Medium Risk Alert'
  • Experts Question UN's Anti-Spam Plan
  • 1/24: Sdbot-TV Worm Lets Hackers In
  • Would Do-Not-Spam List Benefit the Enterprise?
  • Discussion on Security Camera