Adobe Fixes One, Working on Others

Thursday, December 15, 2011 @ 02:12 PM gHale

Adobe released a patch, but it was not the one that was top of mind for a majority of users out there. This patch was for the vulnerability affecting versions of its ColdFusion Web application development platform.

Adobe still hasn’t set a date for an emergency patch for a critical and previously unknown hole in the Reader and Acrobat applications, a company spokesperson said.

Targeted Emails Use Security Vendor’s Name
Attackers Hijacking Solid Domains
Control Systems on Alert
Adobe Woes Bring Malware Offerings
Adobe Hit with Zero Day

The vulnerability affects ColdFusion versions 9.01, 9.0, 8.0.1 and 8.0 running on Microsoft Windows, Apple’s Mac and the UNIX operating systems and an attacker could use it in cross site scripting attacks against those platforms, according to a security bulletin published by Adobe. However, a developer who discovered the hole said it didn’t allow malicious code to execute in tests he performed.

ColdFusion is a development platform used to create rich Internet applications. In a cross site scripting attack, attackers take advantage of vulnerabilities in Web applications and static Web pages to inject a client-side script into other users’ Web sessions.

Web developers working for the Federal Reserve Bank of Atlanta discovered the cross site scripting vulnerability as part of an internal development project, according to Howard Fore, a senior Web developer at the bank. Fore and a colleague, Shawn Gorrell, reported the hole to Adobe in August, then worked with Adobe staff to fix it. Fore said staff at the Federal Reserve Bank never found a way to use the hole to run malicious code on vulnerable systems.

Adobe said the patch resolves two vulnerabilities: CVE-2011-2463 and CVE-2011-4368. It advised customers to update their ColdFusion installations as soon as possible to protect against remote attacks that target the security hole.

The company is planning an emergency patch of Acrobat and Reader, following the discovery of a critical vulnerability affecting both platforms. Hacker are already taking advantage of the holes with exploits linked to malicious attacks online, including installations of the Sykpiot Trojan, researchers said.

Leave a Reply

You must be logged in to post a comment.