I really haven’t paid much attention to my blog in a few years. Part of that was probably due to the fact it was running on ColdFusion (Railo 3.3 really) using Mango Blog. Both are extremely out of date and started looking for an alternative. First thought was to convert to WordPress, but given the hassles to set it up and run it securely with seemingly constant vulnerabilties reported pretty much ruled it out.

I wanted to simplify the stack and reduce attack surface, so static generators seemed like a good place to start. I looked at Jekyll first and then several others but ultimately decided on Hugo.

So ColdFusion 9 core support ended on December 31, 2014. As such, Adobe has not released any security updates for it since APSB14-23 on October 14, 2014. There was a question regarding the latest security patch, APSB15-21, released for ColdFusion 10 and 11, if it affected ColdFusion 9. The answer was yes,it is affected as well. And apparently Adobe does have a procedure on how to apply the patch~~, if you email and ask for the instructions~~. Honestly, Adobe should just post the instructions, but given that it is no longer covered by core support can understand why they are not.

So the talk surrounding the Krebs on Security post, The Long Tail of ColdFusion Fail, continues. Some have taken issue with that he seems to be singling out ColdFusion. Personally, I like the fact that he is reporting on breaches. It helps bring to light issues with installs that are out there, so others can learn from the problems. The ones he has highlighted are severe since they involve credit card processing. 

The underlying problem is that hackers have identified ColdFusion as an easy target and are going after it. The only way to fix that is to make it more difficult to attack and compromise, but that requires involvement from everyone that touches a ColdFusion installation. 

On March 17th, there was yet another story from Krebs on Security, The Long Tail of ColdFusion Fail, which sparked some interesting comments. It also provided some additional insight to a post that Wil Genovese made on March 6th, IIS Vulnerability Steals Payment Information since he commented on Krebs that he dealt with eLightBulbs.com.

Before I knew the two were related, I made the comment that it is really a failure of the sysadmin to properly configure and lockdown ColdFusion based upon the published lockdown guides for ColdFusion 9 or ColdFusion 10.

This has been one of the faster turn around times to get an updated Unofficial Updater 2 out. One of the items that stuck out was that one of the acknowledgments was to Alex Holden who co-discovered the Adobe password and software breach.