New victims inducted into botnet preying on websites running ColdFusion

Investigators have identified more victims of a botnet that collects payment card data and other sensitive information by preying on websites running poorly secured installations of Adobe's ColdFusion Web server platform.

Car manufacturer Citroën and e-commerce sites Elightbulbs.com and Kicherlightinglights.com were named in two media reports published Monday, one by The Guardian and the other by KrebsOnSecurity. The reports highlight the harm that can continue to occur as a result of vulnerabilities even months after they're patched by Adobe and other developers. A separate article by reporter Brian Krebs published last week revealed jam and jelly maker Smuckers and credit card processor SecurePay were also hit by similar attacks. Krebs said several unidentified sites were affected as well.

The reports come five months after federal prosecutors charged a 28-year-old UK man of hacking thousands of computer systems, many of them belonging to the US government. The man stole massive quantities of data that resulted in millions of dollars in damages to victims, and many of those breaches were the result of hacks that exploited ColdFusion. Similar attacks were reported 11 months ago, including one that hijacked a server hosting provider and exposed sensitive customer data. Complicating matters was the October discovery of server hosting ColdFusion source code. The server was operated by criminals who obtained the code after breaching Adobe's corporate network, Krebs reported at the time.

Read 4 remaining paragraphs | Comments

ColdFusion hack used to steal hosting provider’s customer data

A vulnerability in the ColdFusion Web server platform, reported by Adobe less than a week ago, has apparently been in the wild for almost a month and has allowed the hacking of at least one company website, exposing customer data. Yesterday, it was revealed that the virtual server hosting company Linode had been the victim of a multi-day breach that allowed hackers to gain access to customer records.

The breach was made possible by a vulnerability in Adobe's ColdFusion server platform that could, according to Adobe, "be exploited to impersonate an authenticated user." A patch had been issued for the vulnerability on April 9 and was rated as priority "2" and "important." Those ratings placed it at a step down from the most critical, indicating that there were no known exploits at the time the patch was issued but that data was at risk. Adobe credited "an anonymous security researcher," with discovering the vulnerability.

But according to IRC conversation including one of the alleged hackers of the site, Linode's site had been compromised for weeks before its discovery. That revelation leaves open the possibility that other ColdFusion sites have been compromised as hackers sought out targets to use the exploit on.

Read 5 remaining paragraphs | Comments

Patch Tuesday part two – Adobe patches Reader, Flash and more

Adobe have released their latest batch of quarterly security updates covering Flash, Shockwave, Reader, Acrobat, ColdFusion, LifeCycle and Blaze.

Flash logoAfter only 9 days another zero day exploit has been fixed in Adobe Flash player. Adobe released updates for Windows, Mac OS X, Solaris and Linux today at http://get.adobe.com/flashplayer. Updates for the Android version of Flash Player should be posted before the end of the week. This flaw is being exploited in the wild and is considered critical.

Shockwave player for Windows and Mac saw 24 vulnerabilities fixed this quarter, begging the question of why anyone still installs this software. That is an extremely large attack surface for something hardly used on modern websites… If you are still using Shockwave you can get the latest version from http://get.adobe.com/shockwave. All 24 flaws can lead to code execution.

Reader logoAdobe Reader and Acrobat have also been patched to address critical vulnerabilities. Adobe have fixed 13 vulnerabilities, some of which only apply to Adobe Reader X and were patched in previous emergency releases for other versions.

Most importantly, the Adobe ASSET blog announced that Adobe Acrobat 10.1 now includes the sandbox mode made available earlier this year in Adobe Reader X. The latest releases can be retrieved by choosing Help -> Check for updates or by visiting http://get.adobe.com/reader.

Lifecycle and Blaze have been updated to address two important security vulnerabilities. More information on the flaws and how to patch is available in Adobe security bulletin APSB11-15.

Adobe ColdFusion also is vulnerable to two important security vulnerabilities that could lead to denial of service (DoS) and cross-site request forgery (CSRF) problems. Details are available in Adobe security bulletin APSB11-14.

Adobe logoI would like to commend Brad Arkin and the Adobe team on being much more reliable on releasing their updates in a predictable manner. The information provided by Adobe makes it easier for researchers and IT administrators alike to maintain their software.

There is still work to do on reducing the number of out of band updates and the quantity of flaws, but they are certainly heading in the right direction. Now, let’s go patch.