So, there we go. Adobe got hacked and according to Krebs on Security and Adobe themselves, among other things, the source code of ColdFusion, ColdFusion Builder and other Adobe products has been stolen and shown up on hacker sites.
This is obviously an issue. I don’t want to comment on how it might or might not have happened and what the implications are for Adobe Acrobat (Reader) users. Let’s have a think about Adobe ColdFusion, a hosted server product.
First of all, according to my knowledge, it’s not clear yet which versions of Adobe ColdFusion’s source code has been stolen/leaked. It might be CF 4 or 5 and therefore less of a worry. More likely however is that it’s a or multiple recent versions of ColdFusion. What does that mean for both Adobe and you, your users and customers? I’ll try to look at the problems this development is most likely going to cause from a few different angles. Your mileage might vary.
- Hackers have the source code of a server product that’s being hosted on thousands of web and application servers all over the world. A major user for instance is the US Federal Government and currently the European Union (even though there are
strong movements towards changing to Railopeople within EU organisations looking into moving towards Railo in the latter).
- ColdFusion 9 and 10 recently had a a reputation for being easily hackable due to some exploits that got not that well patched and even then the patches are notoriously difficult to apply for administrators. This has become much better with ColdFusion 10 though. There has been a whole series of hacks against hosting companies and users of CF servers.
- Take 1 and 2 and you can safely expect that there will be a bunch of new exploits coming along for CF users. This time about 10x worse because hackers have the actual source code.
- Some people argued on mailing lists or in blogs that hackers could just decompile the Java bytecode CF is delivered through. That is true. However, if you HAD ever done that, you’d see that it’s much easier for a hacker (or anyone, really) to go through actual, probably commented, source code instead of auto-generated decompiled-from-a-bytecode-file source code.
- Trust: When one buys a commercial, closed source product, one puts a certain level of trust into the vendor of the product and its support. It’s implicit “security-by-keeping-the-source-code-in-a-vault”. I don’t want to discuss if that’s good or bad in the first place, but now that vault has been broken into. So – the people who know about bugs, security holes and other issues are not solely Adobe anymore, but Adobe and the Hackers. Can I safely trust an CF installation from now on? Can people safely recommend customers to install CF? I struggle with that thought.
- Trust flow-on effects: I wonder how long it takes until organisations like PCI have issues with issuing CF-driven sites as PCI-compliant in an e-commerce context. A commercial application server of which the hacked source code is out in the wild – is that trustworthy?
- Some people argued recently that Railo’s and OpenBD’s source code are open and out there as well. Wouldn’t that be the same then? The short answer – no. Both Railo and OpenBD are open source. It’s intentionally opened. There’s a community, there’s transparency. If you don’t trust Railo, inspect the source code – that’s (among other things) why it’s out there.
What’s the way out here for Adobe? I honestly don’t know – but my gut feeling is that their only option would be to in some way open source the product for everyone while keeping commercial distribution rights (I assume they still try to make money from it). I’m at this stage not even sure if and how that’d be feasible. In the meantime – be aware of this situation and that there will be a sting a hacking attacks soon. It’s not a question of IF, but WHEN.