Hiding malicious code inside image files isn’t new: way back in ye olden days of 2004, malware hidden inside JPEG files plagued Windows machines. Some administrators are doubtlessly wondering why, after all this time, this sort of vulnerability hasn’t been decisively eliminated from the online world.
An attacker could rig a TIFF image with malware and get a user to either view the image via a specially crafted website or send it to the user via email or instant message. The last two exploit vectors could make it so the user wouldn’t have to click the link or image, or view the email or instant message, for the attack to prove successful. Once executed, an attacker could access and execute code on Blackberry’s Enterprise Server. According to the advisory, an attacker could also “extend access to other non-segmented parts of the network,” depending on privileges.