An unpatched vulnerability in the PDF distiller in the BlackBerry Attachment Service has been revealed by Research In Motion. Thanks to the Internet Storm Center for alerting us to the problem. The distiller is a program that reads PDF files and re-renders them in a format that the BlackBerry can display. The BlackBerry Attachment Service runs on the BlackBerry Enterprise Server. The advisory is somewhat unclear as to whether the BlackBerry device is itself vulnerable; more likely it is the server on which the BlackBerry Attachment Service runs that can be compromised by a malicious PDF file. This service has been compromised in the past by malicious files, as its job is to parse a wide variety of file formats, a task that is difficult to protect against attacks, especially heap overflows. The advisory and some BlackBerry lockdown guides, such as this one from the Australian Department of Defense (PDF), recommend that the Attachment Service be run on a separate computer on an isolated network segment in order to minimize the damage that any compromise can do. The advisory also includes other workarounds you can perform, such as disabling the distiller's support for PDF files. RIM has no time frame for a resolution of the problem.