Adobe Pushes Fix for ColdFusion Cross Site Scripting Hole. No Word On Reader, Acrobat Patch

Adobe on Tuesday released a patch for a vulnerability affecting versions of its ColdFusion Web application development platform. A company spokeswoman said the company still hasn’t set a date for an emergency patch for a critical and previously unknown hole in both the Adobe Reader and Adobe Acrobat applications, after promising to issue a fix this week.

The vulnerability affects ColdFusion versions 9.01, 9.0, 8.0.1 and 8.0 running on Microsoft Windows, Apple’s Mac and the UNIX operating systems and could be used in a cross site scripting attacks against those platforms, according to a security bulletin published by Adobe. However, a developer who helped discover the hole said that it didn’t allow malicious code to be executed in tests he performed.

ColdFusion is a development platform used to create rich Internet applications. In a cross site scripting attack, attackers take advantage of vulnerabilities in Web applications and static Web pages to inject a client-side script into other users’ Web sessions.

Web developers working for the Federal Reserve Bank of Atlanta discovered the cross site scripting vulnerability as part of an internal development project, according to Howard Fore, a senior Web developer at the bank. Fore and a colleague, Shawn Gorrell, reported the hole to Adobe in August, then worked with Adobe staff to fix it. Fore told Threatpost that staff at the Federal Reserve Bank never found a way to use the hole to run malicious code on vulnerable systems.

“We couldn’t get anything to execute,” Fore said.

He said the hole may have been introduced by recent changes to the ColdFusion platform, because the Federal Reserve Bank has used Web vulnerability scanners for its ColdFusion development previously, but only recently detected the cross site scripting hole.

Adobe said the patch resolves two vulnerabilities: CVE-2011-2463 and CVE-2011-4368. It advised customers to update their ColdFusion installations as soon as possible to protect against remote attacks that target the security hole.

The company is planning an emergency patch of both Adobe Acrobat and Adobe Reader, following the discovery of a critical vulnerability affecting both platforms. According to security researchers, exploits of those vulnerabilities have already been linked to malicious attacks online, including installations of the Sykpiot Trojan horse program.