Adobe Fixes ‘Critical’ Vulnerabilities in JRun and ColdFusion Products

Software maker 'Adobe Systems' has issued security bulletins to patch vulnerabilities in two popular web development software, as a number of these vulnerabilities allow hackers to capture sensitive data or compromise end-users' systems.

The patches mend 7 vulnerabilities affecting version 8.0.1 and the older ones of ColdFusion and JRun 4.0, with the most dangerous flaws is cross-site scripting (XSS) bugs, which allow hackers to run malicious software on an affected computer by delivering a booby-trapped URL to target system.

Reportedly, the update for ColdFusion takes care of 5 flaws in versions 8.0.1, 8 and 7.0.2 pertaining to the web development software. These 5 flaws are serious as they result in problems from execution of remote code to escalation of user rights for information disclosure.

On the other side, the JRun update takes care of 2 flaws, one of which could allow a hacker to execute remote code through an XSS attack, while the other could lead to information disclosure.

Adobe stated that the flaws fixed via the two updates were rated as 'critical,' therefore the company recommended that anyone operating either of these programs should deploy the patches soon.

The security bulletin from Adobe arrives seven days after Microsoft's issuance of its security bulletin for August that fixed flaws in Office and Windows, and five other loopholes.

Moreover, the Adobe patches arrive as the company, whose products are probably more omnipresent compared to Microsoft's, exerts to fix various security flaws. Attackers could exploit these flaws to plant malicious software on the systems.

During the end week of July 2009, Adobe released a patch to plug a Flash Player hole, which miscreants were exploiting to compromise users' computers. In July, attackers hijacked numerous websites by using a text editor that came packaged with ColdFusion. Adobe, during May 2009, had declared that it was strengthening the safety measures required for developing its Reader program necessary for viewing PDF files.

There is no report so far of any exploit for the flaws that Adobe has fixed, according to the company's Product Security Incident Response Team.

Related article: Adobe Rates Acrobat Vulnerabilities “Critical”

» SPAMfighter News - 9/4/2009