Security Communications Release: Security Advisory posted (KB26296: Cross-site scripting (XSS) vulnerability in the BlackBerry Web Desktop Manager component of the BlackBerry Enterprise Server”)

On April 12, 2011, Research In Motion (RIM) released a security advisory, KB26296: Cross-site scripting (XSS) vulnerability in the BlackBerry Web Desktop Manager component of the BlackBerry Enterprise Server. This security advisory provides details of a known cross-site scripting vulnerability in the BlackBerry Web Desktop Manager component of the BlackBerry Enterprise Server and BlackBerry Enterprise Server Express.

RIM has issued interim security software updates that resolve the issue in supported software versions of the affected software. Resolution for the issue is available by downloading and applying the interim security software update for the appropriate affected software version. Links to the updates are listed in the Resolution section of the security advisory. Orange recommends that BlackBerry Enterprise Server or IT administrators should apply the software updates.

The vulnerability could allow an attacker to execute externally supplied scripts using the user privileges of the BlackBerry Web Desktop Manager. This could allow the attacker to perform any BlackBerry Web Desktop Manager task that the legitimate user could perform on a BlackBerry smartphone while the user is logged in to the BlackBerry Web Desktop Manager. Such tasks include remotely wiping and disabling the device, remotely resetting the device password and locking the device, and activating the user’s account on another device over the wireless network.

Successful exploitation of this issue requires an attacker to persuade the legitimate user to click a specially crafted URL in a web browser or an email or instant message.

For further information, please see the posted security advisory above.

Mobile & Cellular 01952602260, 02, 08707777701, bb, BES, blackberry, cento, centoconsultants, cheap, consultants, geko, gekodirect, microsoft, Orange, ripoff, scam, scammers, stoke on trent, uma, voip

Oh how this message has haunted me over the past couple of hours.  The story goes something like this; customer pays for on site support, I advise customer to prepare server and create BES admin user, then I arrive.  Install the BES Express onto the Windows 2003 server, plug it in to exchange & AD, so far everything is looking good, yet the installation skips the MAPI option.    Anyhow, the software finally installs and I connect the device to the server to do a wired activation and set up.  I create a user and try to assign a user to attached device.  Then up pops the dreaded message  The BlackBerry Administration Service was unable to retrieve specific device attributes from the device that is connected to your computer. At first I believe this is down to the device being setup via BIS first, so a hand held wipe and cleanup is completed.  This solved nothing, so I checked the permissions of the admin account that was setup all looked well until I attempted to ensure that the account could log on as a service and realised that the right service manager in my computer differed to what I normally see, there was no local security option.

At this point I had decided that the admin account might have been setup incorrectly so tried in vain to follow the steps laid out in the install guide with no success.  It was then I decided to go guerrilla on the server, I created a user (in AD users and computers), assigned a mailbox (in server manager), allowed the send as, receive as and information store permissions (right clicked AD users and computers) and sent the test mails via outlook web access.  Following that I un-installed the BESE and cleaned out the old databases.  After logging into the BESAdmin account I had just created I started the install, this eventually threw up the MAPI option which was missing from the initial setup.  With the install complete I added the users and connected the device to the server, then clicked the assign device to user button and hid under the desk.  Whilst under there I noticed that the handset was doing stuff so jumped up and saw that it had assigned correctly.

I then went about generating some activation passwords and sending them wirelessly to the devices.  A few minutes pass and we start to see users appear next to devices, Woooooo Hoooooo!

Not satisfied with “just” fixing it I needed to troubleshoot the initial install to find out what went wrong.  After scouring through the old server logs, I couldn’t see any failure points and felt like throwing the server in the bin.  Eventually I noticed something about the admin account that was created for the first install.

The initial account was what the customer used as the main windows account and was a Domain Controller.  This is what stopped the system working, how?  I am still working on that one but if like me you had this fault then check the following:

You log into server using the BESAdmin account, ensure that the BESAdmin account is a Domain User, ensure it is a member of the administrators group, give it send as and receive as permissions and finally check it can access and edit the information store.  On a side note, if you use the windows server 2003 manager and MS SQL then you do not need to check for SQL permissions as it is set to give full access to admins by default.

So if you get stuck and can’t see any possible causes just check the account permissions.  Failing that give me a shout and I will see if I can help!

A helping hand, Geko Direct Limited 01952602260, 08707777701, 2003, bb, BES, BESAdmin, bese, besexpress, besx, BIS, blackberry, BlackBerry Server Express, cheap, enterprise, geko, gekodirect, help, microsoft, no complaints, Orange, orange bis, server 2003, uma

Orange Alert: Vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server

On October 13, 2010, Research In Motion (RIM) released a security advisory, KB24547: Vulnerability in the PDF distiller of the BlackBerry Attachment Service for the BlackBerry Enterprise Server. This security advisory provides details of a known vulnerability in the PDF distiller of the BlackBerry Attachment Service component of the BlackBerry Enterprise Server and BlackBerry Enterprise Server Express, and BlackBerry Professional Software that affects how the BlackBerry Attachment Service processes PDF files.

RIM has issued interim security software updates that resolve the issue in supported software versions of the affected software. Resolution for the issue is available by downloading and applying the interim security software update for the appropriate affected software version. Links to the updates are listed in the Resolution section of the security advisory. Orange recommends that you apply the software update or implement the workaround which is also documented in the security advisory.

This security issue could allow a malicious individual to cause buffer overflow errors, leading to a Denial of Service (DoS) condition or possibly arbitrary code execution on the computer that the BlackBerry Attachment Service runs on. Successful exploitation of this issue requires a malicious individual to persuade a BlackBerry smartphone user to open a specially crafted PDF file on a BlackBerry smartphone that is associated with a user account on a BlackBerry Enterprise Server. The PDF file may be attached to an email message, or the BlackBerry smartphone user may retrieve it from a web site using the Get Link menu item on the BlackBerry smartphone.

So just be careful when opening PDF attachments!!!

A helping hand, Geko Direct Limited 01952602260, 08707777701, bb, BES, blackberry, enterprise, geko, gekodirect, help, live, Orange, scam, server, tutorials, uma

Since working in sales I do find the same questions keep popping up all the time and would like to answer it here.  We supply a large number of BlackBerry devices to our business customers on the Orange network and would like to share why we do so.. This will explain the benefits of accepting an offer through Geko Direct and utilising the Orange network.

Why Geko?

Apart from the obvious advantages of having a one to one account management service and a home grown team of business mobile professionals whose sole aim is to keep your business mobile…

Geko Direct Limited is passionate about emerging and current technologies which is why every member of staff is trained and qualified to sell and support the kit we supply, we also have a highly qualified technical support team who are on hand to assist with anything you require, from software installation right up to policy management and handset setup.  Due to Geko’s unique working relationship with Orange we are able to offer top level support normally reserved for corporate account holders to anybody with an account with Geko/Orange.

All of our staff has completed the dealer training provided by RIM to ensure that we are able to sell and support with confidence.

Why Orange?

Orange are currently the biggest UK networks with over 50% of the market share and have invested heavily (over £1m per day) in bringing the network up to the high standards demanded by RIM.

The Orange BlackBerry Internet infrastructure is constantly monitored and has more than multiple fail-safe’s and failover thresholds to provide the high availability that RIM prides itself on.

The support team at Orange are some of the highest qualified and technologically talented people in the industry.  Anyone working within the BlackBerry support ring fenced team was handpicked and trained to the highest required standards by RIM and Orange.

All BlackBerry support members within Orange are UK based and are able to remotely diagnose problems and provide remote support to Enterprise Servers to both IT management and the customer direct.  Every call made to Orange from a BlackBerry smartphone is automatically directed to this team and will be answered within 10 seconds, a service that cannot be rivalled or matched by any other network.

Orange is the only network in the UK who can provide a phone service with absolutely no network coverage providing you are with a Wi-Fi hotspot.  With UMA you are able to use an existing wireless network to make and receive calls with no additional software or hardware.  The end user will receive the call with no knowledge as it is routed through the internet and to an Orange switching station which forwards the call through the cellular network.

Summary

Put simply by accepting a BlackBerry device or product through Geko and Orange you are ensuring the highest quality support and expertise which will ensure that your business is never kept waiting.

A helping hand, Geko Direct Limited 01952602260, 02, 08707777701, 8520, 9105, 9700, bb, BES, BIS, blackberry, cheap, geko, gekodirect, internet, news, Orange, pearl, rim, uma, voip