It is strongly recommended that you read bulletin KB17118, then download and install the patch, called Service Pack 6 Interim Security Software Update 2, from http://www.blackberry.com/go/serverdownloads. The security bulletin also offers a workaround that reduces the functionality of BES but protects the server from exploits of the Attachment Service vulnerabilities.

The affected versions of the server software are BlackBerry Enterprise Server software version 4.1 Service Pack 3 (4.1.3) through 4.1 Service Pack 6 (4.1.6), including the latest maintenance release.

• VMWare (all products, from ESX Server all the way down to VMware Player)
• Cisco PIX and ASA (versions 7.1, 7.2, 8.0 and 8.1)
• Mac OS X (Both Server and Client editions, 10.4 and 10.5 are affected)

Quite a few of these vulnerabilities are remotely exploitable and especially dangerous on the PIX and unprotected OSX and VMware installations.   VMware also looks like it may have a  local “VM breakout” bug or two, watch out for these.   We strongly recommend getting these products updated as soon as possible.

For more information and relevant links, check out the US-CERT Cyber Security Bulletin SB08-161.  Search for the product you’re running on this page.