Source of Adobe zero-day bug patched

Powered by SC Magazine
 

One of the flaws at the heart of Adobe's ColdFusion 8.0.1 zero-day vulnerability has been patched.

Recent attacks were due, in part, to a vulnerable text-editor bundled with web design and development platform ColdFusion, according to Adobe. It had been shipped with an open source text editor called FCKeditor, versions of which contained a security hole.

“Adobe is aware of reports of ColdFusion websites being compromised through a vulnerability in the FCKeditor rich text editor,” David Lenoe, Adobe product security program manager, wrote in a post on the company's Product Security Incident Response Team (PSIRT) blog.

He said Adobe is working on a fix, which is expected to be made available this week. He also outlined a workaround in the post.

In the meantime, a new version of FCKeditor has been released to address the vulnerability. In an advisory, US-CERT said that it “encourages users and administrators to upgrade to FCKeditor version 2.6.4.1 to help mitigate the risks.”

The FCKeditor vulnerability was “due to improper verification of input passed to the ‘CurrentFolder' parameter," US-CERT said in its advisory. "Exploitation of this vulnerability may allow an attacker to execute arbitrary code.”

ColdFusion also suffered from a second attack vector through vulnerable FCKeditor installations.

“One of the common applications that has been seen in attacks is CFWebstore, a popular e-commerce application for ColdFusion,” wrote Bojan Zdrnja, senior information security consultant at Infigo IS, in an updated post on the SANS Internet Storm Center. "Older versions of CFWebstore used a vulnerable FCKeditor installation. If you are using CFWebstore, make sure that you are running the latest version and that any leftovers have been removed.”

See original article on scmagazineus.com

Copyright © SC Magazine, US edition


 
 
 
Top Stories
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
The CISO’s dilemma: Do you trust your partner’s partner?
[Blog post] How far down the chain do you check?
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  25%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  22%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 321

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  57%
 
No
  43%
TOTAL VOTES: 126

Vote