September 23, 2014

Adobe releases hotfix for ColdFusion

adobe-logo(LiveHacking.Com) –  Earlier this month Adobe published a security advisory outlining some Critical vulnerabilities in Adobe ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh, and UNIX. At the time, Adobe promised it would fix the problem and publish patches, which it has now done. The hotfix released by Adobe addresses vulnerabilities that could permit an unauthorized user to remotely circumvent authentication controls and potentially allowing the attacker to take control of the affected server. The flaws have been assigned CVE numbers: CVE-2013-0625, CVE-2013-0629, CVE-2013-0631 and CVE-2013-0632.

Adobe is reporting that it is aware of reports that the vulnerabilities are being exploited in the wild against ColdFusion customers.

The patches fix the follow vulnerabilities:

  • An authentication bypass vulnerability affecting ColdFusion versions 9.0.2, 9.0.1 and 9.0.0, which could result in an unauthorized user gaining administrative access (CVE-2013-0625).
  • A directory traversal vulnerability affecting ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0.0, which could permit an unauthorized user access to restricted directories (CVE-2013-0629).
  • A vulnerability affecting ColdFusion versions 9.0.2, 9.0.1 and 9.0.0, which could result in information disclosure from a compromised server (CVE-2013-0631).
  • An authentication bypass vulnerability affecting ColdFusion versions 10, 9.0.2, 9.0.1 and 9.0.0, which could result in an unauthorized user gaining administrative access (CVE-2013-0632).

Adobe to patch Critical flaws in Acrobat and ColdFusion

adobe-logo(LiveHacking.Com) – Critical vulnerabilities have been found in Adobe Reader, Acrobat and ColdFusion and Adobe is planning to release patches to fix the flaws over the next week. The first to be patched will be Adobe Reader and Acrobat. Adobe plans to release a security update on Tuesday, January 8, 2013 for Adobe Reader and Acrobat XI (11.0.0) and earlier versions for Windows and Macintosh, and Adobe Reader 9.5.1 and earlier 9.x versions for Linux.

The nature of the vulnerabilities in Adobe’s PDF tools is not yet know, however they are ranked as Critical. A Critical vulnerability is one which, if exploited, would allow malicious native-code to execute, potentially without the user’s knowledge.

More is known about the ColdFusion vulnerabilities.  Adobe has identified three flaw affecting ColdFusion for Windows, Macintosh and UNIX:

  • CVE-2013-0625 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user to remotely circumvent authentication controls, potentially allowing the attacker to take control of the affected server.
  • CVE-2013-0629 affects ColdFusion 10, 9.0.2, 9.0.1 and 9.0, and could permit an unauthorized user access to restricted directories.
  • CVE-2013-0631 affects ColdFusion 9.0.2, 9.0.1 and 9.0, and could result in information disclosure from a compromised server.

Adobe has confirmed that these vulnerabilities are being exploited in the wild but also notes that CVE-2013-0625 and CVE-2013-0629 only affect ColdFusion customers who do not have password protection enabled or have no password set.

The company is in the process of finalizing a patch for the vulnerabilities and expects to release a ColdFusion hotfix for versions 10, 9.0.2, 9.0.1 and 9.0 for Windows, Macintosh and UNIX on January 15, 2013.

“We are currently evaluating the reports and plan to issue a security advisory as soon as we have determined mitigation guidance for ColdFusion customers and a timeline for a fix,” Adobe’s Wendy Poland said in a post on Adobe’s Product Security Incident Response Team (PSIRT) Blog.

Tuesday, January 8 is also the day that Microsoft will release seven security bulletins to address 12 vulnerabilities in Microsoft Windows, Office, Developer Tools, Microsoft Server Software and the .NET Framework.

Microsoft and Adobe release patches

(LiveHacking.Com) – Microsoft has released two security bulletins to fix vulnerabilities in Visual Studio Team Foundation Server and Microsoft System Center Configuration Manager. Both bulletins address escalation of privileges vulnerabilitys. To successfully exploit the Visual studio vulnerability and attacker would need to convince a victim to click on a malicious link or visit a malicious site.

The details are as follow:

  • MS12-061 – Vulnerability in Visual Studio Team Foundation Server Could Allow Elevation of Privilege – This security update resolves a privately reported vulnerability in Visual Studio Team Foundation Server. The vulnerability could allow elevation of privilege if a user clicks a specially crafted link in an email message or browses to a webpage that is used to exploit the vulnerability.
  • MS12-062 – Vulnerability in System Center Configuration Manager Could Allow Elevation of Privilege – This security update resolves a privately reported vulnerability in Microsoft System Center Configuration Manager. The vulnerability could allow elevation of privilege if a user visits an affected website by way of a specially crafted URL.

According to Microsoft neither of the issues addressed, which are rated Important,  is known to be under active exploitation in the wild.

Adobe
Adobe also released a security update, this time for ColdFusion. The hotfix, which is for ColdFusion 10 and earlier versions for Windows, Macintosh and UNIX, addresses a vulnerability which could result in a Denial of Service condition.

Affected versions are: ColdFusion 10, 9.0.2, 9.0.1, 9.0, 8.0.1, and 8.0 for Windows, Macintosh and UNIX