RIM Refutes BlackBerry Buffer Overflow Claim By Hexview
If you were paying attention on Wednesday, I mentioned a security issue put out by a company called Hexview that warned of a possible buffer overflow condition if a user receives an Outlook meeting invitation with more than 128KB in the Location field. On Thursday RIM posted a Knowledge Base article that addressed said issue and while they acknowledged that the handheld could be reset by sending said message, they denied that it was either a buffer overflow condition (which means that a hacker couldn't then execute arbitrary code on your handheld after sending you a message) or that it could cause data loss. Additionally, the handheld reset issue would only affect users running handheld software version 3.7 SP1 or earlier (ie: they already fixed the problem).
In other words, if a) you're running old software, and b) someone had alot of time on their hands then they could cause your handheld to restart. Whoop-de-doo. I bet this is one of those times when the guys at Hexview maybe should have contacted the vendor in advance (even though it's not their policy). It's nice and all to get the information out in the open, but you definitely need to get your facts straight if you're going to cry wolf. The next time around people just might not listen.
October 15, 2004 in News by ajohnson