By now, I should be used to the fact that Adobe Patch Day falls on the same Tuesday as Microsoft Patch Day, and yet Adobe still seems to sneak a few by me.
During the rigmarole of Microsoft Patch Day last Tuesday, Adobe released a security advisory describing an update that fixes a security flaw in the ColdFusion web application server. For those that don’t know, ColdFusion, or CFML, is a web application language, which you can use to tie your web site to a database back-end. Adobe’s ColdFusion is a product for creating CFML applications, and it even comes with a built-in web server (thought not one intended for production use). According to Adobe’s advisory, ColdFusion suffers from a Denial of Service (DoS) vulnerability involving hash algorithm collisions. This flaw’s not a huge threat, but if you have ColdFusion you should patch.
If I’m being honest, my first response to seeing this advisory was, “who cares.” While I don’t know the official numbers, I’m fairly sure that few web sites actually leverage ColdFusion for their web applications today. They use PHP and .ASP instead. However, an audience member from a presentation I gave yesterday reminded me that one man’s lame app might be another man’s favorite program.
The IT Professional in question was telling me about a client who had a network breach. An attacker had gained access to the client’s SQL database via their web site, and stole and deleted lots of data. What was the ultimate culprit? An older, unpatched version of ColdFusion. Well. I’ll be. Here I was callously ignoring a product that I felt was not worthy of attention, meanwhile attackers are targeting it.
Yes. I’m being a little over dramatic to illustrate a point. Yet, this conversation reminded me that vulnerabilities in less popular products can still greatly affect some people. In fact, sometime we even forget about some of the less popular products we have on our computers since we never use them. If we’ve forgotten about them, we’re probably not updating them. Luckily, there are tools that can help you with this problem.
At home, I’ve installed the free personal version of Secunia’s PSI (it stands for Personal Software Inspector). It checks your computer for every software package you install, and tries to tell you the ones that haven’t been updated. I especially like that it doesn’t only tie to the Windows “install/uninstall” component, but instead scans your computer for executables. Sometimes we install products on our computers that the Windows uninstaller doesn’t “see,” but PSI will still find and recognize these programs. Since many less popular products don’t have automatic update mechanisms, PSI is a great tool to proactively find what software you should patch. I recommend you check it out. — Corey Nachreiner, CISSP (@SecAdept)