Unofficial Updater 2 now patches APSB13-27

This has been one of the faster turn around times to get an updated Unofficial Updater 2 out. One of the items that stuck out was that one of the acknowledgments was to Alex Holden who co-discovered the Adobe password and software breach.

In the news of the latest patch, there is contention of whether the hole reported by Alex Holden is actively being exploited, from the second to last paragraph.

Holden maintains this flaw was being used by attackers prior to today. "Hold Security identified an attack attempt against a ColdFusion version 8 resource by the same hackers behind breaches like LexisNexis, Adobe, and others," Holden said. Unaware of the possible effectiveness of this attack, Hold Security reached out to Adobe. While Adobe did not find the precise attack effective against any of supported CF versions, they did identify a critical flaw in the same resource which led to the patch issued today.

The first thing that struck me was that ColdFusion 8 was specifically mentioned. Now ColdFusion 8 core support ended July 31, 2012 which means Adobe will not issue a patch to close this hole on ColdFusion 8 (the last patch was APSB12-21 on September 11, 2012). The only effective measure is to make sure you properly lockdown ColdFusion 8 or upgrade to a supported version (and properly secure it). The other thing is Adobe's statement about being "effective against any supported CF version" and since ColdFusion 8 is no longer supported it is probably valid. 

Regardless of if it is being exploited, the best defense is to be running a supported version of ColdFusion, staying current on patches, and properly securing ColdFusion using the published lockdown guides for ColdFusion 9 or ColdFusion 10.

Also tomorrow (11/14) at 2pm ET, I will be giving a free webinar on the security enhancements that have been made in ColdFusion 10. To register, please visit

  1. #1 by ~P - November 14, 2013 at 11:36 AM

    I've been working with CF, well, forever now it seems, never heard of the Unofficial Updater before. I will definitely take a closer look. While we have CF10, we've not yet gotten all of our CF8 servers up to date. Thank you for bringing it to my attention.

    Off-topic, but kinda funny... My company's Barracuda web filter caught your blog site as "Adult Content", haha.
  2. #2 by David Epler - November 14, 2013 at 4:03 PM

    I hope you find it useful. Just keep in mind that UU2 will only patch to the last one that Adobe has released for ColdFusion 8 (APSB12-21) and that all other security holes found in the past year probably do effect ColdFusion 8 but there will never be a patch. If you need to secure ColdFusion 8, I recommend using the ColdFusion 9 lock down guide. I have used it to secure ColdFusion 8.

    As for Barracuda classifying the site that way, I don't know and will look into getting it remedied. Thanks for letting me know.
(will not be published)
Leave this field empty: