ColdFusion becomes latest Adobe attack vector, again
I feel as if I can write an "Adobe security flaw of the week" column. The company seems to be a target for every hacker on earth, with Flash and Reader leading the way. Last week Reader was under attack. Now this week brings a new security flaw, and also a new (or old) target in the form of ColdFusion, the Adobe web application development tool.
The developer has issued a security advisory letting customers know that some are vulnerable to this latest flaw. ColdFusion users who have restricted public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories are safe. However, those who have not taken these steps are vulnerable.
Much the same as with the Reader flaw, Adobe plans a fix, but appears to be in no rush to issue it. In a statement, Adobe explains "a Security Advisory (APSA13-03) has been posted in regards to a critical issue in ColdFusion 10, 9.0.2, 9.0.1 and 9.0 and earlier versions for Windows, Macintosh and UNIX.
Adobe is aware of reports that exploit code for the vulnerability is publicly available. Information regarding this vulnerability, including mitigation recommendations, is provided in the Security Advisory. We are in the process of finalizing a fix for the issue and expect a hotfix will be available on May 14, 2013".
ColdFusion is less a target than other Adobe software, but this is far from the first time it has come under attack. There is a reason that a site exists solely for the purpose of checking your ColdFusion server security.