Ask one hundred executives what one piece of equipment they couldn’t live a day without and 97 of them will probably say their Blackberry. That the other three will tell you to ask their assistant to get back to you with an answer notwithstanding, the ‘always available’ access to email offered by Blackberries, iPhones, Androids, Windows Mobile, Symbian, and other smartphone platforms has elevated email from an important business application, to a 24×7 mission critical service, and much like electricity, it is expected to just work. Given the importance of email, and the need to maintain these devices, it is absolutely essential to keep up with the security patches released by the vendors.
A patch to this vulnerability is not available at the time of this writing, so Research In Motion recommends following one of the two workarounds/mitigating actions.
2) Disable the browser
You can also disable the browser completely, on either individual phones or by using the policy rules in the Blackberry Enterprise Server administrative console called Allow Browser IT policy rule and the Allow Other Browser Services IT policy rule. After disabling these rules, the browser will not work, but any older emails containing links, if clicked on, will generate an error indicating the user should contact their IT department. Again, you should make your users aware of this change.
In both cases, if you outsource management of your Blackberry Enterprise Server, you will need to work with your service provider to implement these policies.
Not only is it important to patch Blackberries in your environment, this should also emphasize the importance of adding smartphones to your enterprise patching process. Whether these phones are corporately purchased and maintained, or if users are allowed to use their personal phones to connect to the company’s email system, ensuring that all devices are fully patched and maintained is something you should discuss within your department, and develop a plan for patching corporate systems, and verifying that users are patching their personally owned devices.
Given the challenge of patching equipment the company doesn’t own, I am curious; do you allow users to connect to your email system with personally owned equipment? How do you patch them?