Adobe patched two vulnerabilities in its ColdFusion web application server today, and also released a Flash Player update that patched a remote code execution bug in the software.
A company spokesperson said none of the vulnerabilities are being exploited, nor are they related to the recent theft of Adobe source code and up to 150 million customer records, including passwords.
One of the ColdFusion bugs, however, was reported by Alex Holden of Hold Security; Holden is one of the experts who uncovered the data lost in the Adobe breach along with blogger Brian Krebs. Krebs reported today that one of the now-patched ColdFusion bugs was a zero-day being used by attackers earlier this year to break into a number of companies.
The security hotfix for ColdFusion 10 on Windows is the most critical, according to Adobe. The vulnerability affects versions 10, 9.0.2, 9.0.1 and 9.0, as well as Mac OS X and Linux. Adobe said a cross-site scripting vulnerability was patched that could be remotely exploited by an attacker with credentials when the CFIDE directory is exposed. The other bug could permit unauthorized remote read access, Adobe said.
Adobe also updated Flash Player to version 11.9.900.117 for Windows and Mac OS X, and 11.2.202.310 for Linux. The patches fix flaws that could crash the Flash Player and enable an attacker to remotely take control of the underlying system hosting the software.
Both products have been patched multiple times this year. ColdFusion is of particular interest because of its involvement in the massive October breach. The attackers were able to access source code for ColdFusion, along with Acrobat, Publisher, PhotoShop and other Adobe products. More than 150 million customer records were also accessed, including unsalted passwords.
ColdFusion has been patched several times by Adobe this year, going as far back as Jan. 4 when the company reported that ColdFusion exploits were in the wild for unpatched vulnerabilities in the software. Since then, vulnerabilities were patched in the software in May, after weeks prior cloud-hosting company Linode revealed it was breached by attackers using a ColdFusion zero day, and customer records including payment card information were lost. Previously, on Dec. 11, Adobe patched a sandbox permissions flaw in ColdFusion, weeks after an out-of-band patch resolved a denial-of-service vulnerability.