Adobe Gets Busy With Fixes For ColdFusion, Reader, Flash


Adobe issued a security update Tuesday repairing dozens of flaws in Flash and its PDF software as well as a dangerous zero-day vulnerability attackers are actively targeting in its ColdFusion software that may be linked to a spate of recent data breaches.

Adobe issued a critical update to its ColdFusion application development platform. The update impacts ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0 for Windows, Mac and Unix and repairs two zero-day vulnerabilities that the software maker said are being used in ongoing attacks.

"There are reports that an exploit for this vulnerability is publicly available," Adobe said in its security advisory. "This vulnerability could permit an unauthorized user to remotely retrieve files stored on the server."

[Related: Patch Tuesday: Microsoft Fixes Critical IE8 Flaw Used In Targeted Attacks]

ColdFusion has been used by attackers to gain access to hosting providers and other organizations. Last month Galloway, N.J.-based Linode, which provides cloud hosting services for software engineers, reported a data security breach after attackers targeted a zero-day flaw in the ColdFusion application server. The attack took place shortly after Adobe issued a hotfix repairing a pair of vulnerabilities. Email addresses may have been exposed as well as encrypted credit card data and passwords. The company said it reset accounts as a precautionary measure.

"Our investigation reveals that this group did not have access to any other component of the Linode infrastructure, including access to the host machines or any other server or service that runs our infrastructure," Linode said in a statement.

A similar attack in February and March reportedly targeted the ColdFusion implementation in the state of Washington. The Washington state court system data breach exposed 160,000 Social Security numbers and about a million driver's license numbers.

The attention given to ColdFusion has taken away some of the pressure from Oracle, which has been dealing with Java issues over the past several months, said Paul Henry, security and forensic analyst at Scottsdale, Ariz.-based security vendor Lumension Security. Attackers are finding easy to target vulnerabilities in the software and are using them to gain access to critical systems, he said. Adobe is once again "becoming more of a threat vector," Henry said.

Adobe also released a critical bulletin repairing 13 vulnerabilities in its widely deployed Flash software. The Adobe security bulletin addresses memory corruption vulnerabilities. It affects users of Flash Player and Adobe Air for Windows, Macintosh, Linux and Android devices.

"These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said.

The software maker addressed 27 vulnerabilities in its Adobe Reader and Acrobat software. The security update fixes a variety of coding errors including a use-after-free vulnerability that can enable an attacker to bypass the sandbox restrictions built into Adobe Reader and Acrobat X. Other memory corruption errors can cause the software to crash and potentially allow an attacker to take complete control of an affected system, Adobe said.

The update impacts all currently supported versions of Adobe Reader and Acrobat.

PUBLISHED MAY 15, 2013