Adobe patches 'critical' flaws in ColdFusion, JRun

Code execution, information disclosure bugs dead


Adobe Systems has released updates that patch vulnerabilities in two widely used web development applications, several of which let attackers steal sensitive data or take complete control of users' machines.

In all, the patches fix seven flaws in versions 8.0.1 and earlier of ColdFusion and JRun 4.0. The most serious of them are XSS, or cross-site scripting, bugs that allow attackers to execute malicious code on an underlying system by supplying a target with a booby-trapped web link.

Adobe engineers also fixed a separate management console flaw. It allowed unauthenticated users to traverse restricted directories, a vulnerability that could lead to information disclosure. Proof-of-concept code released Tuesday showed the flaw could be exploited using a URL that looks something like this:

http://[server]/server/[profile]/logging/logviewer.jsp?logfile=../../../../../../../boot.ini

The fixes come as Adobe, whose software is perhaps more ubiquitous than Microsoft's, struggles to patch a variety of security vulnerabilities that have been exploited to install malware on the machines running the programs. Three weeks ago, its security team pushed out a fix for a bug in its Flash Player that criminals were using to hijack user machines. Attackers last month were also able to compromise a large number of websites by targeting an open-source text editor bundled with ColdFusion.

In May, Adobe announced it was reinvigorating security measures used to design its Reader application used to view PDF documents. The initiative was a great start, but by no means adequate because it left Flash and other widely used Adobe titles out of the tent.

Adobe says here it is currently unaware of any exploits targeting the latest ColdFusion and JRun bugs. The company's security bulletin is available here. ®

Broader topics


Other stories you might like

  • Broader investment in cybersecurity beginning to pay dividends
    Improved defenses give organizations more room to negotiate but won't protect from lawsuits, says law firm

    An increased willingness on the part of enterprises to invest in cybersecurity may finally be starting to make a difference, according to US law giant BakerHostetler.

    While ransomware was involved in 37 percent of 1,270 incidents the firm handled during 2021, up 10 percent on 2020, today's Data Security Incident Response Report [PDF] suggests that growing uptake of mitigation techniques like multifactor authentication (MFA) and backups are driving the price of ransoms down.

    "Of the ransomware matters we helped manage in 2021, the average ransom demand paid was around $511,957, roughly two-thirds the average amount paid in 2020," the report said.

    Continue reading
  • Emma Sleep Company admits checkout cyber attack
    Customers wake to a nightmare as payment data pilfered from UK website

    Emma Sleep Company has confirmed to The Reg that it suffered a Magecart attack which enabled ne'er-do-wells to skim customers' credit or debit card data from its website.

    Customers were informed of the breach by the mattress maker via email in the past week, with the business saying it was "subject to a cyber attack leading to the theft of personal data" but not specifying in the message when it discovered the digital burglary.

    "This was a sophisticated, targeted cyber-attack on the checkout process on our website and personal information entered, including credit card data, may have been stolen, whether you completed your purchase or not," the email to customers states.

    Continue reading
  • CafePress fined for covering up 2019 customer info leak
    Watchdog demands $500,000 after millions of people's info stolen and sold

    The FTC wants the former owner of CafePress to cough up $500,000 after the customizable merch bazaar not only tried to cover up a major computer security breach involving millions of netizens, it failed to safeguard customers' personal information.

    In a complaint [PDF] filed against CafePress former owner Residual Pumpkin Entity and PlanetArt, which bought the platform in 2020, the FTC alleges multiple instances of shoddy security practices at the online biz. In a settlement proposed by the US watchdog, Residual Pumpkin will pay up the half-million dollars.

    The complaint highlighted that in February 2019 criminals stole, and then sold on the dark web, a treasure trove of personal information they found relatively easily on CafePress systems. This data included: more than 20 million unencrypted email addresses and encrypted passwords; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and the last four digits of for tens of thousands of credit cards.

    Continue reading
  • DMCA-dot-com XSS vuln reported in 2020 still live today and firm has shrugged it off
    Researcher tells world after being stonewalled

    There is a live cross-site scripting (XSS) vulnerability in takedowns website DMCA-dot-com's user interface. It's existed for more than a year and the site's operators don't appear to be interested in fixing it.

    Infosec researcher Joel Ossi, founder of Dutch security firm Websec, announced his findings after spending more than a year trying and failing to get DMCA-dot-com to take the XSS seriously.

    "I registered at DMCA at first with an intention to protect my own website," he blogged, explaining that he found unescaped free-text entry boxes in the DMCA user interface allowed him to create an XSS.

    Continue reading
  • App, security teams need closer bond to fend off cyberattacks
    Enterprises should shift left to protect themselves, says Immersive Labs

    Enterprises need to create a more strategic alliance between their application security and cybersecurity teams if they are going to better protect themselves against cyberthreats.

    Organizations can no longer wait for attacks to happen and then respond, according to Sean Wright, principal application security SME at Immersive Labs, creators of an enterprise platform that measures the cyber capabilities of their workforce. Instead, they need to embrace the shift-left mantra that calls for more security-related tasks – with testing being a big one – being performed earlier in the software development process, essentially weeding out potential flaws and vulnerabilities before they're compromised by attackers.

    The end result should be to reduce the risk to the organization, Wright told The Register.

    Continue reading
  • CrowdStrike offers fully managed identity-threat-detection-as-a-service
    The further you move from the office, the more wild the product descriptions

    CrowdStrike is bringing its identity threat prevention technology to its managed detection and response (MDR) service, giving enterprises a chance to blunt the growing threat of identity-based attacks that has accelerated during the COVID-19 pandemic.

    The cloud-based cybersecurity vendor on Wednesday unveiled Falcon Identity Threat Protection Complete, a fully managed service organizations can use to deploy automated protection and real-time detection of threats; obtain expert incident response after detection; and accelerate the time to respond to eliminate any danger. The service also claims to improve visibility throughout an enterprise's systems through identity monitoring.

    Identity threat is CrowdStrike's term: it's when, for instance, someone's identity on a network is used by an unauthorized user to gain access to information they shouldn't. It's the abuse of one's user account in the system, perhaps by using stolen or brute-forced login details or tokens.

    Continue reading
  • Russia is the advanced persistent threat that just triggered. Ready?
    Data security looks very different when your life depends on it

    Opinion Stress-testing security is the only way to be sure it works. Until then, the worst security looks much the same as the best. As events in Ukraine show, leaving the stress-testing of assumptions until a threat is actually attacking is expensively useless.

    Yet if an untested solution is no solution at all, the problem becomes how you define an adequate test. In security, that means how far do your responsibilities go? 

    Continue reading

Biting the hand that feeds IT © 1998–2022