Tag Archives: coldfusion

Latest Version of ShockWave Corrects a Pair of Critical Flaws

Summary:

  • This vulnerability affects: Adobe Shockwave Player 12.0.7.148 and earlier, running on Windows and Macintosh computers
  • How an attacker exploits it: By enticing your users into visiting a website containing a malicious Shockwave file
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: If you allow the use of Shockwave in your network, you should download and deploy the latest version (12.0.9.149) as soon as possible.

Exposure:

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

In a security bulletin released Tuesday, Adobe warned of two critical vulnerabilities that affect Adobe Shockwave Player 12.0.7.148  for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail, only describing them as memory corruption vulnerabilities. The flaws share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit either of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.

If you use Adobe Shockwave in your network, we recommend you download and deploy the latest version as soon as you can.

As an aside, Adobe also released a security bulletin last week, fixing a zero day vulnerability in Flash Player. If you happened to miss that update, be sure to install it as well.

Solution Path

Adobe has released a new version of Shockwave Player, version 12.0.9.149. If you use Adobe Flash in your network, we recommend you download and deploy this updated player as soon as possible.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from accessing Shockwave content (.SWF) via the web (HTTP) or email (SMTP, POP3). If you like, you can temporarily mitigate the risk of this vulnerability by blocking .SWF files using your Firebox’s proxy services. That said, many websites rely on Shockwave for interactive content, and blocking it could prevent these sites from working properly.

Status:

Adobe has released a Shockwave Player update to fix these vulnerabilities.

References:

ColdFusion Security Update: Minor to Me, Perhaps Major to You

By now, I should be used to the fact that Adobe Patch Day falls on the same Tuesday as Microsoft Patch Day, and yet Adobe still seems to sneak a few by me.

During the rigmarole of Microsoft Patch Day last Tuesday, Adobe released a security advisory describing an update that fixes a security flaw in the ColdFusion web application server. For those that don’t know, ColdFusion, or CFML, is a web application language, which you can use to tie your web site to a database back-end. Adobe’s ColdFusion is a product for creating CFML applications, and it even comes with a built-in web server (thought not one intended for production use). According to Adobe’s advisory, ColdFusion suffers from a Denial of Service (DoS) vulnerability involving hash algorithm collisions. This flaw’s not a huge threat, but if you have ColdFusion you should patch.

If I’m being honest, my first response to seeing this advisory was, “who cares.” While I don’t know the official numbers, I’m fairly sure that few web sites actually leverage ColdFusion for their web applications today. They use PHP and .ASP instead. However, an audience member from a presentation I gave yesterday reminded me that one man’s lame app might be another man’s favorite program.

The IT Professional in question was telling me about a client who had a network breach. An attacker had gained access to the client’s SQL database via their web site, and stole and deleted lots of data. What was the ultimate culprit? An older, unpatched version of ColdFusion. Well. I’ll be. Here I was callously ignoring a product that I felt was not worthy of attention, meanwhile attackers are targeting it.

Yes. I’m being a little over dramatic to illustrate a point. Yet, this conversation reminded me that vulnerabilities in less popular products can still greatly affect some people. In fact, sometime we even forget about some of the less popular products we have on our computers since we never use them. If we’ve forgotten about them, we’re probably not updating them. Luckily, there are tools that can help you with this problem.

At home, I’ve installed the free personal version of Secunia’s PSI (it stands for Personal Software Inspector). It checks your computer for every software package you install, and tries to tell you the ones that haven’t been updated. I especially like that it doesn’t only tie to the Windows “install/uninstall” component, but instead scans your computer for executables. Sometimes we install products on our computers that the Windows uninstaller doesn’t “see,” but PSI will still find and recognize these programs. Since many less popular products don’t have automatic update mechanisms, PSI is a great tool to proactively find what software you should patch. I recommend you check it out. — Corey Nachreiner, CISSP (@SecAdept)

Adobe Drops Reader, Shockwave, and Flash Updates on Patch Day

Severity: High

10 February, 2011

Summary:

  • These vulnerabilities affects: Recent versions of Adobe Reader, Acrobat, Shockwave, Flash, and ColdFusion
  • How an attacker exploits it: In various ways, but most commonly by enticing your users into visiting a website containing malicious Flash, Reader, or Shockwave content
  • Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it
  • What to do: If you use these popular Adobe products, you should download and install their various updates as soon as possible.

Exposure:

Sharing the same day as Microsoft’s Black Tuesday (the second Tuesday of the month), Adobe’s quarterly Patch Day often gets buried under the flood of Microsoft’s updates. Nonetheless, attackers have increasingly targeted flaws in 3rd party programs, which makes Adobes’ numerous patches just as important.

On Tuesday, Adobe released four security bulletins, which included updates to fix several security vulnerabilities in many of their popular applications. The affected software includes Reader, Acrobat, Shockwave Player, Flash Player, and Coldfusion. We summarize these four bulletins below.

  • APSB11-01: Shockwave Update Fixes 21 Vulnerabilities

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

Adobe’s bulletin warns of 21 security vulnerabilitys that affect Shockwave Player 11.5.9.615 and earlier for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail. It only describes the nature and basic impact of each flaw. For the most part, the flaws consist of unspecified memory corruption vulnerabilities. Though these flaws differ technically, most of them share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC.
Adobe Severity: Critical

  • APSB11-02 : Flash Update Corrects 13 Security Flaws

Adobe Flash Player displays interactive, animated web content called Flash. A recent report from Secunia stats that 99% of Windows computers have Adobe Flash Player installed, so you users very likely have it.

Adobe’s update fixes 13 security vulnerabilities in Flash Player (for Windows, Mac, Linux, and Solaris), which they don’t describe in much technical detail. However, they do describe the general scope and impact of these flaws. In the worst case, if an attacker can lure one of your users to a malicious website, they could exploit some of these flaws to gain control of that user’s computer. We assume the attacker would only gain the privileges of the logged in user. However, since most Windows users have local administrator privileges, the attacker would likely gain full control of Windows machines.
Adobe Severity: Critical

  • APSB11-03: Reader Update Patches 29 Security Flaws

Adobe’s Reader bulletin describes 29 security vulnerabilities (number based on CVE-IDs) that affect Adobe Reader X and Acrobat X and earlier, running on Windows, Mac, and UNIX computers. The flaws differ technically, but consist mostly of various code execution flaws, which share the same general scope and impact. In the worst case, if an attacker can entice one of your users into downloading and opening a maliciously crafted PDF document (.pdf), he can exploit many of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

Last year, we predicted that attackers would increasingly target third-party applications, like Adobe Reader. This prediction has proven true, with many confirming that Adobe Reader is the most exploited application by attackers. For those reasons, we highly recommend you download and install these Reader updates immediately.
Adobe Severity: Critical

  • APSB11-04: ColdFusion Hotfix Corrects Five Vulnerabilities

Adobe ColdFusion is an application server that allows you to develop and deploy web applications.

According to Adobe, ColdFusion 9.0.1, running on all platforms (Win, Mac, and UNIX) suffers from five security vulnerabilities, the worst being a few Cross-Site Scripting (XSS) vulnerabilities that could potentially allow attackers to steal cookies or hijack sessions of users that visit your site. ColdFusion isn’t the most popular server out there, so I don’t expect many of our customers to be affected by these particular flaws.
Adobe Severity: Important

Solution Path:

Adobe has released updates for all their affected software. If you use any of the software below, we recommend you download and deploy the corresponding updates as soon as possible, or let Adobe’s automatic updater do it for you:

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from downloading certain types of files via the web (HTTP) or email (SMTP, POP3). If you like, you can temporarily mitigate the risk of some of these vulnerabilities by blocking various Adobe-related files using your Firebox’s proxy services. Such files include, .PDF, .SWF, .DIR, .DCR, and .FLV. That said, many websites rely on these files to display interactive content. Blocking them could prevent some sites from working properly. Furthermore, many businesses rely on PDF files to share documents. Blocking them would affect legitimate files as well. For that reason, we recommend the updates above instead.

Nonetheless, if you choose to block some Adobe files, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block files by their file extensions:

Status:

Adobe has released updates to fix these vulnerabilities.

References:

This alert was researched and written by Corey Nachreiner, CISSP.


What did you think of this alert? Let us know at your.opinion.matters@watchguard.com.

More alerts and articles: log into the LiveSecurity Archive.

Adobe Patch Day Delivers Flash and ColdFusion Security Updates

Emergency Reader Update Expected Later this Month

11 August, 2010

Summary:

  • This vulnerability affects: Adobe Flash Player, Flash Media Server, and ColdFusion for Windows, Mac, and UNIX computers
  • How an attacker exploits it: Multiple vectors, such as enticing your users to a malicious website or sending malicious requests to your web server
  • Impact: Various, in the worst case an attacker can execute code on your computer or server, potentially gaining control of it
  • What to do: Install Adobe’s updates as soon as possible or let Adobe’s Updater do it for you

Exposure:

Yesterday, Adobe released three security bulletins describing 11 vulnerabilities (based on CVE numbers) that affect various Adobe Products, including Flash Player, Flash Media Server, and ColdFusion running on all platforms; many of them critical. We summarize these bulletins below.

  • APSB10-16: Adobe Flash Player Security Update

Affects: Adobe Flash Player 10.1.53.64 and Adobe AIR 2.0.2.12610 and earlier, running on all platforms (Win, Mac, Linux, and Solaris)

Adobe Flash Player displays interactive, animated web content called Flash. A recent report from Secunia stats that 99% of Windows computers have Adobe Flash Player installed, so you users very likely have it. Adobe’s update fixes six security vulnerabilities in Flash Player, which they don’t describe in much technical detail. However, they do describe the general scope and impact of these flaws. In the worst case, if an attacker can lure one of your users to a malicious website, they could exploit some of these flaws to gain control of that user’s computer. We assume the attacker would only gain the privileges of the logged in user. However, since most Windows users have local administrator privileges, the attacker would likely gain full control of Windows machines.
Microsoft rating: Critical.

  • APSB10-19: Adobe Flash Media Server Security Update

Affects: Adobe Flash Media Server (FMS) 3.5.3 and 3.0.5 and earlier, running on Windows and Linux platforms

Adobe Flash Media Server is a product specifically designed to help you stream Flash media over the web. According to Adobe, it suffers from four unspecified security vulnerabilities. Three of the vulnerabilities can lead to Denial of Service (DoS) situations, while the fourth could allow a remote attacker to execute code on your Flash Media Server. Unfortunately, Adobe doesn’t describe exactly how an attacker might exploit these vulnerabilities. We assume they’d have to send some sort of specially crafted request to the Flash Media Server. Adobe also doesn’t implicitly state what level of privilege an attacker’s code would execute with. However, they do assign a Critical rating to this flaw. Without these details we can only assume that an attacker could leverage it to gain full control of a Flash Media Server.
Microsoft rating: Critical.

  • APSB10-18: Adobe ColdFusion Security Hotfix

Affects: Adobe ColdFusion 9.0.1, running on all platforms (Win, Mac, and UNIX)

Adobe ColdFusion is an application server that allows you to develop and deploy web applications. It suffers from an unspecified directory traversal vulnerability, which is essentially a class of vulnerability that allows an attacker to gain access to directories on a server that they should not have access to, thus potentially giving them access to sensitive information. Adobe’s bulletin shares very little about the scope of this flaw, so we’re unsure how easy or hard it is for attackers to leverage. They rate the hotfix as Important.
Microsoft rating: Important.

Besides the three full security bulletins, Adobe also released an early bulletin announcing an upcoming Adobe Reader update that they plan to release later this month. Among other things, this update will include a fix for a PDF related vulnerability that a researcher named Charlie Miller disclosed at the Blackhat 2010 security conference. We expect Adobe to release this final update on or around August 16, and will publish another alert when they do.

Solution Path

Adobe has released updates to correct the issues in all these products.  You should download and deploy the corresponding updates immediately, or let the Adobe Software Updater program do it for you.

For All WatchGuard Users:

Attackers can exploit these flaws using diverse exploitation methods, many of which leverage normal HTTP traffic that most administrators must allow.  Therefore, installing Adobe’s updates is your most secure course of action.

Status:

Adobe has released patches that correct these vulnerabilities.

References:

  • APSB10-16: Adobe Flash Player Security Updates
  • APSB10-19: Adobe Flash Media Server Security Updates
  • APSB10-18: Adobe ColdFusion Security Hotfix

This alert was researched and written by Corey Nachreiner, CISSP.

Adobe Corrects 18 Shockwave Security Flaws

Summary:

  • This vulnerability affects: Adobe Shockwave Player 11.5.6.606 and earlier, running on Windows and Macintosh computers
  • How an attacker exploits it: By enticing your users into visiting a website containing a malicious Shockwave or Director file
  • Impact: An attacker can execute code on your computer, potentially gaining control of it
  • What to do: If you allow the use of Shockwave in your network, you should download and deploy the latest version (11.5.7.609) of Adobe Shockwave Player as soon as possible.

Exposure:

Adobe Shockwave Player displays interactive, animated web content and movies called Shockwave. According to Adobe, the Shockwave Player is installed on some 450 million PCs.

In a security bulletin released late Tuesday, Adobe warned of eighteen critical vulnerabilities that affect Adobe Shockwave Player 11.5.6.606 for Windows and Macintosh (as well as all earlier versions). Adobe’s bulletin doesn’t describe the flaws in much technical detail. It only describes the nature of each flaw, and its basic impact. For the most part, the flaws consist of memory related vulnerabilities, including buffer overflows, integer overflows, and various other memory corruption flaws. Though these flaws differ technically, they all share the same general scope and impact. If an attacker can entice one of your users into visiting a website containing some sort of malicious Shockwave content, he could exploit any of these vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC. Adobe’s alert doesn’t describe what type of Shockwave content triggers these various flaws. However, other researchers alerts have disclosed malicious Shockwave (.SWF) and Director (.DCR) files can trigger these vulnerabilities.

If you use Adobe Shockwave in your network, we recommend you download and deploy the latest version as soon as you can.

As an aside, Adobe also released a security bulletin to fix three less severe vulnerabilities in their web application server, ColdFusion. We suspect few of our customers use this less popular application server. However, if you do, we recommend you follow the instructions in this Adobe TechNote to fix these vulnerabilities.

Solution Path

Adobe has released a new version of Shockwave Player, version 11.5.7.609. If you use Adobe Flash in your network, we recommend you download and deploy this updated player as soon as possible.

For All WatchGuard Users:

Some of WatchGuard’s Firebox models allow you to prevent your users from accessing Shockwave content (.SWF and .DCR) via the web (HTTP) or email (SMTP, POP3). If you like, you can temporarily mitigate the risk of this vulnerability by blocking .SWF and .DCR files using your Firebox’s proxy services. That said, many websites rely on Shockwave for interactive content, and blocking it could prevent these sites from working properly.

If you choose to block Shockwave content, follow the links below for video instructions on using your Firebox proxy’s content blocking features to block .SWF and .DCR files by their file extensions:

Status:

Adobe has released a Shockwave Player update to fix these vulnerabilities.

References:


Follow

Get every new post delivered to your Inbox.

Join 7,528 other followers

%d bloggers like this: