A number of questions have emerged from the ColdFusion community about the recent FCKEditor security vulnerability in ColdFusion. Hopefully this fills in more information for you.
Before I get into it though, let me just say that this isn’t an attempt to excuse the problems you’ve had. We know that you had a crappy week last week (or this week), and regret it. We do need to review what happened, and determine if we could have done this better. Personally, in hindsight, there’s one decision we should have gone another way on: we should have released the workaround sooner.
Is it true that Adobe had a fix for months and sat on it?
No, the issue was reported to us 7 weeks before exploits hit last week.
The workaround was pretty easy, why did it take you six weeks to come up with?
In this case, the issue was reported by a customer. The customer was not satisfied with just a workaround for several reasons including concern that we were not actually fixing the correct problem. (This concern ended up being true.) Additionally, our security people were also not entirely convinced that the workaround was entirely the right solution. (Although, I need to state here that the workaround that is now circulating does close the security hole.)
For those reasons, a hotfix was the preferred solution. A hotfix takes more time to create. We had to create the hotfix, then test it to make sure it didn’t break anything, and then provide it to the customer for their approval. We also had to communicate with the FCKEditor folks, to insure that we were correct in understanding their code. In short in addition to testing there was a lot of communication between many groups, and that burned up the time.
Now let me be clear here, I’m not casting blame on to the customer or any third party. Communication takes time, and in this case it took a fair amount of time. If you want to know more about this process it’s publicly documented on the PSIRT blog.
Why didn’t Adobe say anything at that time – the workaround was found pretty quickly?
If we acknowledged the security vulnerability and released the workaround we’d be leaving the reporting client in a lurch. There would be public knowledge of a vulnerability, but no acceptable solution for our customer (as they required the hotfix solution.) We made the call to make the fixes privately and announce when we had a solution we were confident in.
In this case it ended up biting us and you. We now know we should have released the workaround as soon as we knew about it.
But honestly I’m personally torn. On one hand, we should have told you guys sooner, as evidenced by the public exploits. On the other hand, we weren’t arbitrarily holding it back, or idly sitting around – the security group was trying to get a proper fix out before an attack occurred. I think we just got some bad luck.
I’m sure you have opinions on this. Feel free to let me have it in the comments.
Did the Adobe shutdown exacerbate this issue?
The security response process was already in progress. Our teams that work on patches were not off that week, so the actual fix was not delayed. The Adobe Security team responded within a day of the reported problem. So I’m not sure the shutdown had a large effect on our official responses.
If you have other questions, please feel free to ask them in the comments.