Unofficial Updater 2

So with the most recent attack on ColdFusion (detailed by Charlie Arehart, Part #1, Part #2) there was a comment left on the post that got me a bit concerned where the comment said all you had to do is search for h.cfm to remove the file placed by the attacker. My experience has been if an attacker has had access to the server there is no absolute way of knowing what they might have done, even with good log reconstruction. As I noted in my comment in one instance I have previously encountered a situation where an attacker put a file called fck_dialog_common.cfm into CFIDE/scripts/ajax/FCKeditor/editor/dialog/common. At first glance of the directory it looks right, but inactuallity it a file that was buried and hidden so the attacker could come back through it instead of the original entry point. 

The only way to know is to have a way of doing file integrity checks against a good known source. The initial attack that was posted to the Adobe forum was found because an intrustion detection system (IDS) alerted the administrator that a file had been written to CFIDE that was called h.cfm.

Well, the long nightmare known as patching Adobe ColdFusion 8.0.1 is now over. With the release of APSB12-21 last week and core support ending on July 31 for ColdFusion 8 there will be no more security hot fixes released for it (noted at the bottom of the technote).

It is nice that Adobe has moved to a regular release cycle of security hotfixes for ColdFusion 8.0.1 and 9.0.1. It is making my job easier to maintain Unofficial Updater 2. There have been quite a few changes besides just updating for the latest security hotfix. Below is a detailed change log since the last release. 

So last Thursday (March 29th) Adobe published an update to APSB12-06 to address a defect introduced that prevented file uploads from working properly on ColdFusion 8.0.1, see the Adobe forum post for details. I have just updated Unofficial Updater 2 to apply the corrected files for ColdFusion 8.0.1.

So, good they fixed the issue, but my problem with Adobe lays with how they comunicate the change. I didn’t even know there was an update until I saw a post aggregated on ColdFusionBloggers.org from the Adobe ColdFusion Blog. I am signed up to Adobe’s Security Notification Service, but I have never seen a notification come in regarding ColdFusion. And when you go to the updated ColdFusion Security Hotfix APSB12-06 where is the information that it has been updated, at the BOTTOM of the page. But at least it was updated, that counts for something right?

There have been several updates to Unofficial Updater 2 over the past few days.