Zero-Day Flaws Force Fast Fixes From Microsoft And Adobe

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Software titans offer temporary fixes for some serious flaws

As exploits do the rounds on the Internet, Microsoft has confirmed a temporary fix for a Internet Explorer 8 zero-day vulnerability, whilst Adobe promised to patch a serious flaw in its ColdFusion platform.

The Internet Explorer 8 zero-day was used in attacks that compromised  the US Department of Labor, making it chuck the Blackhole exploit kit at users’ machines. The flaw is a memory corruption bug and is critical, as it could let attackers remotely execute code on a target machine.

Microsoft yesterday evening issued a “one-click Fix it”. “The Fix it is available to all customers and helps prevent known attacks that leverage the vulnerability to execute code and should not affect your ability to browse the Web. Additionally, applying the Fix it does not require a reboot,” the tech titan said in a blog post.

Security vulnerability - Shutterstock - FuzzBonesZero-day scares

The company is set to issue its Patch Tuesday updates next week,  but it would come as a surprise if a full fix is delivered, given the new flaw is being actively exploited.

Even though security company FireEye said the vulnerability could be leveraged in an attack on Windows 7, it is Windows XP users who should be most concerned.

“We continue to work on a security update to address this issue and we’re closely monitoring the threat landscape,” Microsoft added.

Adobe, meanwhile, said it had “identified a critical vulnerability affecting ColdFusion 10, 9.0.2, 9.0.1 and 9.0 and earlier versions for Windows, Macintosh and UNIX”, in its own advisory.

It said reports indicated an exploit for the vulnerability is publicly available. The flaw could “permit an unauthorised user to remotely retrieve files stored on the server”.

Adobe expects to have a patch ready for 14 May. In the meantime, it told users to take the following steps: “Restrict public access to the CFIDE/administrator, CFIDE/adminapi and CFIDE/gettingstarted directories by following the hardening guidance in the ColdFusion 9 Lockdown Guide and ColdFusion 10 Lockdown Guide.”

The attackers who hit hosting firm Linode and made off with passwords and credit card details were thought to have exploited a vulnerability in Adobe’s ColdFusion application server.

Are you a security expert? Try our quiz!

Originally published on eWeek.