Here is the latest info that I received this morning from our TAM. It appears there are 4 holes which 3 of them have a fix with the HF's in SP3. The last point they are currently working on the fix.
1. Overview - If you download a JAD file with a long descriptor (>256
characters) the dialogue box isn't properly dismissed. Referenced in
2. Overview - A specially formed PNG file may lead to arbitrary code
execution on the attachment server. Referenced in KB-04756:
3. Overview - A specially formed TIFF file may lead to cause the
attachment server to crash. The attachment server will automatically
restart. Referenced in KB-04757:
4. Overview - A malformed packet sent to the BlackBerry Router can cause
it to crash creating a denial of service. Referenced in KB-04758:
The first three points above have been addressed in SP3 Hofixes.. Please
the release notes.
The fourth point above refers to the possible "denial of service"
attacks to the BlackBerry Router. This is the only fix that we're still
working on, and a fix should be along soon. It is important to note
that this possible attack must come from inside your environment, since
port 3101 (if configured as per our installation requirements) does NOT
allow any inbound connections.