Adobe products, especially Flash and Reader, tend to need frequent patches. It would be ignorant, however, to suggest that these aforementioned products are the only concern. As indicated by recent hotfixes released for ColdFusion, Adobe’s rapid web application development platform, there are always other vulnerabilities to be concerned with.
The hotfixes in question address, per Adobe’s security bulletin, “an input validation issue that could be used in reflected XSS (cross-site scripting) attacks (CVE-2017-3008)” as well as an issue in Apache BlazeDS that causes “Java deserialization (CVE-2017-3066).” The vulnerability (CVE-2017-3008) is a fairly straightforward threat. XSS attacks are a popular tool among hackers as it allows malicious code to be accepted as legitimate by an application. As the Open Web Application Security Project (OWASP) states, the reflected variation of XSS attacks allows attackers “to install key loggers, steal victim cookies, perform clipboard theft, and change the content of the page (e.g., download links).”
Now in the case of the other vulnerability involving Java deserialization, this is a well-known threat but one that is not always acted upon with alacrity. The reason for this is that, until the year 2015’s Foxglove Security demonstration, the Java deserialization vulnerability was not known to have a publicly exploitable variant. Now that this has changed, hotfixes like the one rolled out by Adobe are essential. Java deserialization allows for, in the worst-case scenario, total control of a server in which the attack can alter or destroy data, fundamentally change how applications work, and also use the server as a base of operations for further attacks within the same network. In this particular case, the vulnerability was discovered by German penetration-tester Markus Wulftange.
Adobe gave the following instructions to those implementing the hotfixes for ColdFusion: “Adobe recommends that ColdFusion customers update their installation using the instructions provided in the relevant tech notes”:
Adobe adds that “Customers should also apply the security configuration settings as outlined on the ColdFusion Security page as well as review the respective Lockdown guides.”
As Chris Brook of Kaspersky Lab’s Threatpost pointed out in his report of these hotfixes, hackers have leveraged exploits in ColdFusion to commit cyberattacks as early as 2013. This is a set of hotfixes that cannot be ignored, despite the more rare instances of such vulnerabilites being utilized by black hats.
Photo credit: Pexels