As indicated in the first two links you listed, RIM has already released a patch to deal with this vulnerability. Our primary avenue for protecting our environment in cases like this is keeping systems up-to-date as much as possible. As to the idea of separating the roles/servers into separate network zones, it is a nice ideal but largely impractical. Network segmentation is a best practice which we follow where possible, but there is no way all potentially vulnerable servers (read all of them) could be separated into their own network segments. Dan Palacios Dept. of Consumer and Business Services IMD Network Group 503-947-7060 From: oagitm-bounce@xxxxxxxxxxxxx [mailto:oagitm-bounce@xxxxxxxxxxxxx] On Behalf Of Sandi Arbuckle Sent: Monday, August 15, 2011 9:39 AM To: oagitm@xxxxxxxxxxxxx Subject: [oagitm] Securing/Hardening of the Blackberry BES platform RIM has announced an image processing vulnerability (RIM KB27244) that details a way to compromise server security by simply sending a carefully crafted TIFF or PNG file to any BES user. The vulnerability is present in several versions of BES for Exchange and RIM has issued patches. Successful exploitation of these vulnerabilities may allow an attacker to gain access to and execute code on the BES server at the privilege-level of the BES service account. What steps have other counties already taken or plan to take to isolate BES servers on their networks to limit the scope of this and future threats? RIM suggests BES could be placed on an isolated DMZ segment to limit the scope of successful attacks in addition to applying the security patch that replaces the affected image-processing DLL. Feedback from other counties on their view of this issue and solutions under consideration would be helpful. Links to related information: https://threatpost.com/en_us/blogs/severe-remote-flaw-fixed-blackberry-enterprise-server-081211 http://btsc.webapps.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB27244 http://docs.blackberry.com/en/admin/deliverables/25734/BlackBerry_Enterprise_Server-Security_Note--1395142-0307061517-001-5.0.3-US.pdf Thanks, Sandi Arbuckle Information Technology Director Coos County Courthouse (541)756.8618 (541)404.5319 (c) sarbuckle@xxxxxxxxxxxxx "To give anything less than your best, is to sacrifice the gift." - Steve Prefontaine