RIM updates BlackBerry Desktop Software to fix ActiveX flaw

Research In Motion has quietly released an update to its BlackBerry Desktop Manager, fixing an ActiveX vulnerability in the Roxio Media Manager that could be exploited by an attacker to cause a buffer overflow.

RIM uses the media manager to synchronize BlackBerrys and PCs running Microsoft Windows. In its advisory to customers issued Nov. 27, RIM said the flaw could be exploited if a user visits a malicious website that invokes the control. The company urged its customers to upgrade to the latest patch for the BlackBerry Desktop Software version 4.5, 4.6 or 4.7.

The problem is in Macrovision’s FLEXnet Connect, a software package that allows vendors to provide updates to applications, according to a vulnerability note issued by the United States Computer Emergency Readiness Team (US-CERT). As a workaround, US-CERT said companies could disable ActiveX controls in the Internet Zone.

RIM also issued recommendations on setting administrative roles in the BlackBerry Enterprise Server. The server’s management console allows an administrator to set roles based on a person’s job responsibilities.

‘Research In Motion (RIM) recommends that the administrative roles in the BlackBerry Manager be used only to group trusted administrators according to the scope of their administrative responsibility, not for an explicit security purpose, such as limiting access to sensitive data,’ RIM said in a document issued to customers.