Suffice it to say, the security of Adobe’s ColdFusion web application platform hasn’t had the best 18-month stretch.
Hackers have had their way with vulnerabilities in the software, which have been used in a number of high-profile data breaches, including some suspect, one involving Adobe itself.
Adobe, however, has taken steps to rectify the situation beyond patching existing vulnerabilities as they’re publicly or privately disclosed. Yesterday, the company shared details on some security features built into ColdFusion 11, the latest version of the software released on Tuesday.
Adobe said the enhancements give developers more security controls that can be integrated into applications. Those include a new set of OWASP tools integrated into the platform, additional Secure Profile controls that were originally introduced in ColdFusion 10, and new crypto enhancements to existing APIs.
“Overall, this latest iteration of the platform increases flexibility for developers, while enhancing security,” said lead security strategist Peleus Uhley in a statement. “Administrators will now find it even easier to lock down their environments.”
The additional OWASP tools include features from the organization’s AntiSamy Project. AntiSamy is an API that checks user content supplied in HTML/CSS, such as profile information or comments, for malicious code.
“The term ‘malicious code’ in regards to web applications usually mean JavaScript. Cascading Stylesheets are only considered malicious when they invoke the JavaScript engine,” says a description on the OWASP site. “However, there are many situations where normal HTML and CSS can be used in a malicious manner. So we take care of that too.”
Secure Profile is a set of security defaults introduced in ColdFusion 10; in version 11, site administrators can further lock down admin panels, denying access to a range of IP addresses, for example, that could help choke off certain types of attacks. That capability has been extended to a number of other components in ColdFusion 11.
Adobe also made a number of security enhancements to existing ColdFusion APIs. Uhley said ColdFusion 11 now supports PBKDF2, a password-based key derivation function, that allows developers to create encryption keys from passwords. Also, cfmail built into ColdFusion can now send S/MIME encrypted emails. Finally, developers are now able to enable SSL for the WebSockets proxy, Uhley said.
Seven months ago, Adobe suffered a massive breach of its internal network where hackers were able to make off with source code for a number of its products, including ColdFusion. Originally, Adobe reported that data for 2.9 million customers was also accessed, but that number was quickly amended to 38 million. Lost were customer contact information as well as encrypted payment card information and other information used in customer orders.
Since then, a number of breaches have been reported where exploits for ColdFusion vulnerabilities were likely used. Most recently, an intrusion into French hardware maker LaCie suffered a yearlong breach putting the data of anyone who purchased one of their flagship rugged external hard drives during the past year at risk.
KrebsonSecurity reported that the hackers exploited bugs in ColdFusion were to blame, as they were in break-ins at Smucker’s and SecurePay.