Exploits for vulnerabilities in Adobe’s ColdFusion application server have been at the heart of a number of incidents this year, including a compromise of servers belonging to the Washington State Court system. This level of action has prompted Adobe to release five security updates for the software this year already, including hotfixes sent out today for two vulnerabilities being exploited in the wild.
Adobe, which for a few months has been synchronizing its monthly security updates with Microsoft’s, also released patches today for vulnerabilities in Adobe Reader and Flash Player; none of those flaws are actively being exploited.
It remains unclear which ColdFusion vulnerability was the center of the Washington State breach, though the court said in a statement there were breaches in February and March. An Associated Press report last week said the vulnerability exploited in the attack had already been patched.
The fixes released today address vulnerabilities in ColdFusion 10, 9.0.2, 9.0.1 and 9.0 for Windows, Mac and Unix. One vulnerability, CVE-2013-1389, enables remote code execution on a server running ColdFusion, while the other, CVE-2013-3336, allows unauthorized remote access to files stored on the server. It is this bug, Adobe said, that is currently being exploited.
Adobe also patched 13 memory corruption vulnerabilities in Flash Player that could cause the ubiquitous media player to crash and allow attackers to gain remote control over a compromised computer. Version 220.127.116.11 for Windows was given the most critical rating. Mac, Linux and Android patches were also released, as was a fix for Adobe AIR 18.104.22.1680.
The Adobe Reader bulletin patches 30 vulnerabilities in Reader and Acrobat 11.0.02 for Windows and Mac, and Reader 9.5.4 and earlier 9.x versions for Linux. The vulnerabilities involved include 18 memory corruption vulnerabilities that could lead to remote code execution. The remainder of the security updates resolve integer underflow, use-after-free, stack overflow, buffer overflow, integer overflow and information leakage vulnerabilities.
Unlike the Cold Fusion bugs, none of the Flash or Reader vulnerabilities have been spotted in the wild, Adobe said.
In the Washington State breach, hackers took advantage of an unpatched ColdFusion instance to grab as many as 160,000 Social Security numbers belonging to anyone booked into a city or county jail between September 2011 and December 2012. Driver’s license numbers belonging to up to one million Washington citizens may also have been accessed, the court said.
“The vast majority of the site contains non-confidential, public information. No personal financial information, such as bank account numbers or credit card numbers, is stored on the site,” they said in the statement. “However, other data stored on the server did include social security numbers, names, dates of birth, addresses, and driver license numbers that may have been accessed. Although there is no hard evidence confirming the information was in fact compromised, the data was still vulnerable and should be considered as potentially exposed.”