Adobe in Patch Mode

Wednesday, May 15, 2013 @ 03:05 PM gHale

Adobe sent out hotfixes for two vulnerabilities in its ColdFusion platform the bad guys are already taking advantage of.

Adobe, which for a few months has been synchronizing its monthly security updates with Microsoft’s, also released patches for vulnerabilities in Adobe Reader and Flash Player, for which to date are not undergoing exploitation.

PDF Hole Used in APT Attacks
Reader PDF Tracking Bug
Adobe Patches Platforms
Adobe Fixes 4 Flash Flaws

The ColdFusion fixes address vulnerabilities in ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Mac and Unix. One vulnerability, CVE-2013-1389, enables remote code execution on a server running ColdFusion, while the other, CVE-2013-3336, allows unauthorized remote access to files stored on the server. It is this bug, Adobe said, that is currently undergoing exploitation.

Adobe also patched 13 memory corruption vulnerabilities in Flash Player that could cause the media player to crash and allow attackers to gain remote control over a compromised computer. Version for Windows received the most critical rating. Mac, Linux and Android patches also released, as was a fix for Adobe AIR

The Adobe Reader bulletin patches 30 vulnerabilities in Reader and Acrobat 11.0.02 for Windows and Mac, and Reader 9.5.4 and earlier 9.x versions for Linux. The vulnerabilities involved include 18 memory corruption vulnerabilities that could lead to remote code execution. The remainder of the security updates resolve integer underflow, use-after-free, stack overflow, buffer overflow, integer overflow and information leakage vulnerabilities.

In one Washington State breach, hackers took advantage of an unpatched ColdFusion instance to grab as many as 160,000 Social Security numbers belonging to anyone booked into a city or county jail between September 2011 and December 2012, according to a release by the State Court System. In addition, hackers may have pulled driver’s license numbers belonging to up to one million Washington citizens, the court said.

“The vast majority of the site contains non-confidential, public information. No personal financial information, such as bank account numbers or credit card numbers, is stored on the site,” the court said in a statement. “However, other data stored on the server did include social security numbers, names, dates of birth, addresses, and driver license numbers that may have been accessed. Although there is no hard evidence confirming the information was in fact compromised, the data was still vulnerable and should be considered as potentially exposed.”

Leave a Reply

You must be logged in to post a comment.