Adobe recently released a security fix for a security issue in ColdFusion's Flash Remoting services. It impacts all versions of ColdFusion which ship with Flash Remoting (that's at least ColdFusion 9 through ColdFusion 11, but possibly older versions too). Only CF10 and CF11 have been patched, although Piyush claims to have instructions for patching CF9 although is not being helpful about sharing this info with the ColdFusion community for some reason.
This morning I read an article from ZDNet ("Adobe issues hotfix patch for ColdFusion vulnerability") wherein Adobe appear to have claimed that this fix is a "A hotfix, otherwise known as a Quick Fix Engineering update (QFE update), is a lightweight software patch". This is somewhat of a misrepresentation of reality on the part of either Adobe or ZDNet. I suspect ZDNet are just reporting what Adobe told them.
The "patch" that was released was rolled into all other previous fixes released for ColdFusion, and one does not have the option to simply apply the one-off security fix; one also needs to apply every single other fix Adobe have ever released for the product.
This represents quite a heavy regression-testing burden for anyone thinking of applying the patch. It is not just a matter of installing one small patch and then regression testing a small subset of potential touchpoints in one's CFML application; it means a complete regression testing of everything Adobe have "fixed" in previous patches. And given the ColdFusion Team have a habit of introducing new bugs with these monolithic updates they give us, this is not something that ought to be taken lightly.
To put things in perspective, here is a list of all the fixes shipped with this "quick fix engineering update", for ColdFusion 11:
| Updater | Link | Issue addressed |
|---|---|---|
| 1 | 3777189 | IIS worker process hangs when IIS website configuration is changed. |
| 1 | 3758172 | First request slow on IIS8 (Windows 8 and Server 2012). |
| 1 | 3772978 | In certain scenarios, when ColdFusion server is hosted behind a firewall, ColdFusion application service does not start. |
| 1 | 3785178 | CFSTOREDPROC is slow when returning many null values. |
| 1 | 3759846 | ODBC Socket Data Source cannot be added on Windows. |
| 1 | 3217374 | Geography/Geometry/HierarchyID data types are not supported. |
| 1 | 3518916 | Assigning null to Boolean property throws an error while saving the object. |
| 2 | APSB14-23 | Security fix |
| 3 | 3728133 | Provide status while uninstalling ColdFusion update. |
| 3 | 3737579 | Check for updates' button is not in sync with the notification bulb. |
| 3 | 3738861 | Clicking on "Remove Selected" button in “CF admin > Security > Allowed IP Addresses” gives an error |
| 3 | 3738871 | Updates not displayed correctly in case there are multiple updates available. |
| 3 | 3741635 | Add sentence to “Maximum Number of Cached Queries” description in CF Admin |
| 3 | 3741641 | Archive Wizard step indicators are in the wrong position for PDF services, Archive To Do and Archive summary pages. |
| 3 | 3746060 | Help document showing ColdFusion 10 contents |
| 3 | 3747483 | Clicking on verify button on PDF Services page in the Admin shows the text "YES". |
| 3 | 3767633 | Importing car file from ColdFusion 10 into ColdFusion 11 breaks the installation. |
| 3 | 3811279 | CFCExplorer not working for ColdFusion Interfaces. |
| 3 | 3816133 | System Probe not working. HTTP request returned non-200 status code: Connection Failure. |
| 3 | 3827088 | Update DataDirect driver version from 5.1.1 to 5.1.3. |
| 3 | 3712885 | Name parameter of cfgridcolumn not honored with JS binding in grids. |
| 3 | 3712909 | Grid pagination does not work with JS binding. |
| 3 | 3737272 | Remove hard coded references to /CFIDE/scripts |
| 3 | 3741341 | When using the cfgrid tag with groupField attribute set, grouping by a Boolean type column does not display the values for the each group. |
| 3 | 3741397 | Mask attribute of cfgridcolumn not honored. |
| 3 | 3741675 | Clicking on the delete button in a grid deletes the selected row but results in an error. |
| 3 | 3757675 | cfmap requires /CFIDE in scriptsrc path |
| 3 | 3759630 | Using a CFGRID with a CFC bind fails for an incorrect JavaScript when more than 2 parameters are passed from a form. |
| 3 | 3816340 | Image missing in the context menu for headers in cfgrid. |
| 3 | 3741588 | ID returned by CacheGetAllIDs function for query objects does not work Caching for cache methods like CacheGet, CacheRemove, CacheGetMetadata, CacheIdExists etc. |
| 3 | 3846185 | cacheRemove(cacheGetAllIds()) throws attribute validation exception |
| 3 | 3846186 | cacheRemove()'s exact=false behaves as exact=true if exact ID match is found |
| 3 | 3849494 | CacheRemove throws an exception when one or more queries do not have cacheId attribute |
| 3 | 3788135 | CFExchangemail: the "toID" attribute in the mails retrieved from a mailbox, displays the primary email address even if the mail was sent to an alias. CFExchange |
| 3 | 3788148 | CFExchangemail: The CC, BCC, fromID and toID attributes in a retrieved mail do not display the display names. CFExchange |
| 3 | 3756738 | cfchart style value does not work in ColdFusion 11 |
| 3 | 3756754 | cfchart shows legend even when disabled by showlegend="false" |
| 3 | 3756789 | CFChart uses space and border for empty title |
| 3 | 3798825 | CHCHARTSERIES Pie Chart Attribute "datalabelstyle" Has No Effect |
| 3 | 3800311 | CFCHARTSERIES Data Attribute Will Not Produce Pie Chart According to Documentation |
| 3 | 3812163 | Passing json file name as style attribute does not show the chart |
| 3 | 3816026 | showLegend property does not override the property defined in style file |
| 3 | 3849389 | Issues with pie chart when datalabelstyle is set to columnlabel or pattern. |
| 3 | 3849267 | showLegend=true does not show legend on chart. |
| 3 | 3824411 | Cannot override show3D value given in xml with tag-attribute value. The value given in xml style always takes precedence. |
| 3 | 3430245 | Session gets lost on cflocation width J2EE Sessions and Cookies disabled Core Runtime |
| 3 | 3753710 | String member functions break existing code that relies on java.lang.String member functions |
| 3 | 3800047 | setEncoding breaks cffile action=”uploadall” with some empty file fields Core Runtime |
| 3 | 3486968 | Add Support for DB2 10 on Linux and Windows Database |
| 3 | 3740190 | queryAddColumn() casts to bit when preceded by bit column and QoQ had a prefixed ORDER BY |
| 3 | 3765663 | QueryExecute ignores scale property in param struct with cfsqltype of 'cf_sql_decimal' |
| 3 | 3779331 | Error when using Query of Query and SQL statements ending in semicolon |
| 3 | 3780222 | Upgrade PostgreSQL JDBC driver Database |
| 3 | 3808734 | Enable dbvarname by default Database |
| 3 | 3738230 | Using top=x does not the Filtered label for arrays. |
| 3 | 3760258 | Images missing in debug output |
| 3 | 3811006 | cftrace/trace reports incorrect line number |
| 3 | 3854765 | cfdump for an empty array displays empty twice |
| 3 | 3333862 | cfdocument/cfpdf scale="100" shrinks content |
| 3 | 3567818 | Spreadsheetwrite: autosize does not work to re-size columns with datetime values. |
| 3 | 3734792 | PDFs created by cfhtmltopdf are not accessible/tagged |
| 3 | 3744503 | cfhtmltopdfitem doesn't support additional attributes |
| 3 | 3744504 | Naming inconsistency of page number variables – pagenumber and lastpagenumber |
| 3 | 3758430 | cfhtmltopdfitem units of margin attributes |
| 3 | 3800030 | Spreadsheetaddsplitpane does not work when a spreadsheet object is added to an existing file using action = update. |
| 3 | 3795400 | |
| 3 | 3724983 | Error in cftextarea and cfselect when setting a value using cfset and adding +1 to it. |
| 3 | 3783403 | ExpandPath returns Incorrect path when used with Mappings in Application.cfc |
| 3 | 3845475 | Grammar error in error message when using the queryGetRow function General Server |
| 3 | 3345396 | Updates already applied from console should be restricted from ColdFusion Administrator |
| 3 | 3743165 | ColdFusion update checks repeatedly for the status if ColdFusion is configured with an external webserver. |
| 3 | 3743254 | After submitting Update URL site, 'Download' and 'Download and Install' buttons do not work. |
| 3 | 3743255 | In WebLogic, Dialog box that pops up after downloading the hotfix does not show any buttons. |
| 3 | 3760334 | Mouse hover to Install button shows text "Download and install" Hot Fix Installer |
| 3 | 3772199 | Remove “max_reuse_connections=250” line from workers.properties file from non-IIS configurations. |
| 3 | 3781603 | ColdFusion does not start automatically on uBuntu even if the option to start on system init is selected |
| 3 | 3816729 | ColdFusion administrator does not load images due to a conflict in web.config |
| 3 | 3734319 | CFIMAP action GETALL breaks when there is an email attachment with square brackets |
| 3 | 3041747 | Errors raised in onApplicationEnd and onSessionEnd do not show up in the Application log files |
| 3 | 3043855 | PATCH should be supported for the CFHTTP tag |
| 3 | 3489021 | Add includeEmptyFields parameter to ReplaceList (as per ListToArray and others) |
| 3 | 3748332 | CFClient does not support arrayEach() / arrayFilter() / arraySort() / arrayMap() / arrayReduce() |
| 3 | 3750734 | List iteration & member functions all need to expect both a "delimiters" and an "includeEmptyValues" argument. |
| 3 | 3752316 | Support ListChangeDelims() member function |
| 3 | 3754589 | strictNumberValidation setting not reflected in client side CFFORM validation |
| 3 | 3754672 | Prefix-based custom tags work only if cfimport is used outside of cfscript. |
| 3 | 3760802 | CFLocation tag when used in default constructor of Application.cfc throws error |
| 3 | 3777301 | FileUploadAll function does not work with HTML5 multiple attribute |
| 3 | 3777403 | CFLOOP with simple time values no longer works |
| 3 | 3780136 | cfimport in cfscript does not work as documented |
| 3 | 3783011 | Query of Queries giving the wrong result |
| 3 | 3818770 | Elvis operator executes RHS (right hand side) when it doesn't need to. |
| 3 | 3820906 | Add ListRemoveDuplicates for list objects |
| 3 | 3845642 | Passing a CFC object with string property value as "yes" or "no" to serializeJSON function converts the values to true or false |
| 3 | 3845963 | listEach: arguments scope in UDF function (passed to listEach) should contain the information of delimiter and includeEmptyFields |
| 3 | 3851922 | Elvis operator does not maintain case sensitivity |
| 3 | 3842370 | Error including file when it is referenced using a ColdFusion mapping pointing to an IIS virtual directory |
| 3 | 3820493 | CFLOOP on large query record set with more than 65534 records only processes first 65534 records in query |
| 3 | 3335509 | Audit log file should log updater installs/uninstalls |
| 3 | 3617930 | Included CSS file using link tag is not included in packaged mobile code |
| 3 | 3734606 | ReadAsBase64 function in cfclient errors when reading in a URL that starts with content:// |
| 3 | 3737516 | REFind gives error when regex containing certain group combination is passed as a pattern |
| 3 | 3738100 | Incorrect result when using duplicate function to operate on a nested structure |
| 3 | 3739334 | structCount shows unexpected output when keys are "b.d" and "b.c" |
| 3 | 3739782 | StructSort doesn’t work as expected when sorting is done on nested struct keys |
| 3 | 3742204 | cfinclude within |
| 3 | 3754684 | Add failure callback handler for invokeCFClientFunction function |
| 3 | 3786749 | Upgrade Apache Cordova library to v3.5.0 |
| 3 | 3804384 | QueryExecute params not working in mobile |
| 3 | 3828377 | QueryExecute named params if given as camel casing throw an exception. |
| 3 | 3833529 | Using index variable inside anonymous function called as a parameter to ArrayEach(Member functions) gives undefined index |
| 3 | 3744211 | CFHTTP fails to redirect with POST, PUT, DELETE, or OPTIONS methods |
| 3 | 3763348 | CFHTTP not working with some webservers like maps.googleapis.com and it throws a 404 error. |
| 3 | 3796626 | CFFTP LISTDIR Command Fails against FTP servers that do not allow the SYST command |
| 3 | 3835743 | ORM: Exception while de-serializing persistent object |
| 3 | 3760466 | PDF output truncated by ColdFusion/IIS when passing URL parameters |
| 3 | 3514766 | Problem adding Scheduled Task on system with different format and display settings that runs on Java 7 Scheduler |
| 3 | 3787631 | Axis2 web services can cache unexpectedly. |
| 3 | 3790251 | Unable to connect to web socket over SSL |
| 4 | 3337394 | SerializeJSON() converts name "No" to false in JSON output. |
| 4 | 3759721 | Image functions result in an error on OS X (Mavericks). |
| 4 | 3865461 | Websockets do not work when configured with SSL. |
| 4 | 3865484 | Issue using legend property when specified in a json file. |
| 4 | 3910529 | Issue with Elvis operator after applying Update 3. |
| 4 | 3919479 | Provide an option to disable dbvarname attribute in cfstoredproc tag. |
| 4 | 3942257 | Server Monitor on Jetty and content generated by cfhtmltopdf not accessible on Solaris. |
| 5 | 3845476 | Error when setting the "Allow Administrative Access" option for a user in the security section of the ColdFusion Administrator. |
| 5 | 3845479 | Error when calling the isAdminUser() admin API method of security.cfc. |
| 5 | 3851449 | Error when deploying a ColdFusion application as J2EE Archive on JBOSS Application server (7.1.1) |
| 5 | 3855034 | Unable to set the file overwrite option to false when editing a System Probe. |
| 5 | 3866344 | "UPDATES is undefined in SESSION" error when checking for updates in the Server Update section in the ColdFusion Administrator. |
| 5 | 3037144 | Empty input in CFINPUT causes the CFLAYAOUTAREA to duplicate itself. |
| 5 | 3737524 | Tool-tip does not appear on the first click when using the CFSLIDER tag. |
| 5 | 3798028 | CFGRID with bound field doesn't reset to page 1 when bind field is updated |
| 5 | 3852070 | ColdFusion incorrectly serializes dates using serializeJSON method in different system locales. |
| 5 | 3352745 | Properties with default values are not accessible outside the init function. |
| 5 | 3520983 | validateParams method throws regex parse error when regex contains comma |
| 5 | 3699565 | Unable to set the task Status to "Completed" with CFEXCHANGETASK action="modify". |
| 5 | 3705370 | CFEXCHANGECONTACT does not return more than the default number of contacts when when the MaxRows attribute in CFEXCHANGEFILTER is set to a higher value. |
| 5 | 3756964 | Exchange 2010: The organizer is not correctly set in cfexchangecalendar Event struct. |
| 5 | 3761853 | When the percentcompleted is set to 100 or DateCompleted is set to a past date with CFEXCHANGETASK action="modify", the task status does not change to Completed. |
| 5 | 3761602 | onChange event for CFINPUT does not fire. |
| 5 | 3863477 | CFFORM posts incorrectly to an SES URL. |
| 5 | 3797316 | CFChartSeries Attribute "Colorlist" does not work. |
| 5 | 3848704 | Setting showlegend attribute to false shows legend box |
| 5 | 3859367 | $VALUE$ , $ITEMLABEL$ and $SERIESLABEL$ values for URL attribute in CFCHART does not work with FLASH/HTML format. |
| 5 | 3859368 | CFCHART in Flash or HTML format does not render when ENABLECFOUTPUTONLY attribute is set to true. |
| 5 | 3859531 | CFChart style attribute errors when JSON string is passed. |
| 5 | 3860808 | Flash/HTML format CFCHART generates unexpected URLs if the value of the URL attribute is set to "" or " ". |
| 5 | 3554224 | DirectoryList method does not work as expected when using an S3 path with a trailing slash. ColdFusion Services |
| 5 | 3634391 | getApplicationMetaData method throws a NullPointerException occasionally. |
| 5 | 3801082 | IsValid method incorrectly returns true if the email address ends with a comma. |
| 5 | 3849152 | J2EE sessions in ColdFusion are not maintained in certain cases when using urlSessionFormat method . |
| 5 | 3916188 | structDelete method results in a null pointer exception when deleting CFID/CFTOKEN from cookie scope. |
| 5 | 3512854 | Error connecting to Oracle database when using Oracle Advanced Security |
| 5 | 3818587 | ArrayFind method is not able to search for elements correctly when the array contains Integer or BigInt. |
| 5 | 3849591 | Error when creating an application specific data source when the name of the datasource is in lowercase. |
| 5 | 3851961 | abort throws an exception within iteration member function UDFs. |
| 5 | 3158250 | SpreadSheet formatting methods do not reset formatting attributes in certain cases. |
| 5 | 3821299 | Proxy attributes in CFDOCUMENT tag are ignored. |
| 5 | 3842778 | Numeric boolean values for formatting attributes in spreadsheet functions are not interpreted correctly. |
| 5 | 3846110 | CFHTMLTOPDFITEM errors when used in cfloop. |
| 5 | 3923995 | spreadsheetAddRows method does not write the array elements in the correct order, when the row and column attributes are not specified. |
| 5 | 3039708 | When VFS is disabled the memory associated with RAM file system is not released. |
| 5 | 3043111 | Content-Type is not set appropriately when writing to Amazon S3. |
| 5 | 3043657 | Cannot merge multiple PDFs from ram:// to ram:// |
| 5 | 3114274 | File uploaded by CFFILE action "upload" inherits ColdFusion temp directory permission, instead of upload destination directory permission. |
| 5 | 3148657 | fileUpload method does not ignore empty string for filefield. |
| 5 | 3226380 | Amazon S3 metadata is cached by ColdFusion because of which any external change to S3 metadata is not reflected. |
| 5 | 3695879 | The accept attribute of CFFILE doesn't work with Microsoft Word DOCX files |
| 5 | 3739708 | Uploading a large file to a network directory using CFFILE is slow. |
| 5 | 3829498 | FileOpen/fileWrite methods fail when filename contains a % character |
| 5 | 3848011 | Subdirectories are not included in the zip when storepath attribute for CFZIP tag is set to false. |
| 5 | 3945665 | DirectoryList method for an S3 path throws NullPointerException when listInfo argument is set to "query". |
| 5 | 3965508 | StoreGetMetadata method does not return owner details of the bucket. |
| 5 | 3818732 | setDomainCookies="true" does not set domain cookies in websites like http://example.com |
| 5 | 3320414 | Un-installer does not provide the uninstall option for the non default ColdFusion instances. |
| 5 | 3358792 | WSConfig does not back up all the config files it changes. |
| 5 | 3742083 | CGI.PATH_INFO is not null when default documents are served on IIS. |
| 5 | 3758070 | CGI.HTTP_URL is missing when using IIS. |
| 5 | 3816563 | Requests return Error 400 after a post request has completed successfully. |
| 5 | 3853490 | Error when using the cfcompile.bat |
| 5 | 3923565 | ColdFusion service does not start when J2EE session variables are enabled. |
| 5 | 3938296 | Error when stopping ODBC service with Update 3 and later. |
| 5 | 3776450 | Jar files are not loaded correctly when reloadOnChange is set to true in JavaSettings. |
| 5 | 3842365 | Error when instantiation a Java object is misleading |
| 5 | 3863517 | On a ColdFusion server created by generating an EAR through J2EE archive, accessing the settings summary and scheduled tasks page in the administrator results in a NullPointerException. JEE Deployment |
| 5 | 3041684 | The "includeEmptyValues" argument of listRest method is ignored. |
| 5 | 3700163 | The function gethttpRequestData() fails when the form is posted with encType="multipart/form-data". |
| 5 | 3750733 | listFilter method does not correctly handle multi-char delimiters. |
| 5 | 3765527 | Variable defined in for loop is not available when used in a struct literal in arrayAppend method. |
| 5 | 3791747 | each method does not support ordered arguments. |
| 5 | 3792283 | Calling randomize() with the SHA1PRNG does not create "repeatable number patterns". |
| 5 | 3810965 | arrayFilter method callback does not pass index or array. |
| 5 | 3815793 | structcopy method does not return a copy of form or url. |
| 5 | 3818767 | Serialization of query does not respect case |
| 5 | 3836702 | queryExecute leaks to the variables scope. |
| 5 | 3836820 | queryExecute does not work when used in a thread. |
| 5 | 3840570 | Null coalescing operator sometimes incorrectly returns the second operand. |
| 5 | 3842326 | The output of encrypt method changes with every call if a variable is passed as the key. |
| 5 | 3845979 | structClear method does not clear the form scope. |
| 5 | 3851982 | Callback for structFilter and struct.filter method does not pass the struct. |
| 5 | 3852305 | Typographical error in a member function error message. |
| 5 | 3854303 | isValid method handles null values for eurodate and USdate inconsistently. |
| 5 | 3854304 | isValid method handles null values for integer incorrectly. |
| 5 | 3861371 | Start time and end time in cfloop prints 12.00 AM always. |
| 5 | 3909694 | gethttpRequestData method fails when form is posted with encType="application/octet-stream" |
| 5 | 3926197 | "includeEmptyValues" of listRest method does not return an empty string when passed with a list containing a single element. |
| 5 | 3846187 | writeLog/cflog does not log application name when called within onApplicationEnd(). |
| 5 | 3861391 | Add support for arraysort member function. |
| 5 | 3401939 | REFind multiple line mode not supported. |
| 5 | 3731533 | date.diff method returns month difference as 1 when difference is less than a month. |
| 5 | 3737514 | ljustify, rjustify methods give an error when a number is passed as the first argument |
| 5 | 3737517 | Using ReFind for regex having groups gives unexpected output |
| 5 | 3738564 | When structFindValue method is used on an array of structs, the path value of this struct returns incorrect array index. |
| 5 | 3738742 | structget method does not handle arrays correctly. |
| 5 | 3740223 | reReplace method does not work as expected in certain cases. |
| 5 | 3859184 | Multiple CFM references do not get converted to .html references while packaging. |
| 5 | 3859257 | File references with CFM extension in device file APIs do not work in packaged application. |
| 5 | 3043375 | When doing a chttp POST with a ~ (tilde) in the URL, the ~ always gets URLENCODED |
| 5 | 3369472 | When "keep mail connection" check box is checked in administrator, the spool manager does not consider the username/password specified in CFMAIL tag. |
| 5 | 3673298 | Cfftp action putfile failing after processing for secure FTP server |
| 5 | 3847737 | cfimap action=getall removes brackets and any characters between them from the attachment names. |
| 5 | 3041790 | In ORMExecuteQuery() method when you pass the queryOption argument, the unique argument is ignored |
| 5 | 3044064 | IsValid("url", ...) and IsValid("email", ...) do not correctly validate values that use IPv6-based addresses |
| 5 | 3858866 | Rendering report using cfreport throws MalformedReportException on Mac platform |
| 5 | 3858955 | A CFC with a function name of length less than 3 can't be exposed as REST service. |
| 5 | 3151872 | When the scheduled task has a handler and an exception is thrown by the task, exception.log is not updated Scheduler |
| 5 | 3854891 | SerializeJSON on a Java object causes service restart Serialization |
| 5 | 3702938 | ColdFusion instances not showing up in Windows Performance Monitor |
| 5 | 3720764 | Error message with cfindex not detailed enough. |
| 5 | 3824890 | CFSEARCH tag ignores contextBytes parameter |
| 5 | 3534348 | Typographical errors in $cfroot/cfusion/bin/cf-init.sh |
| 5 | 3853535 | cfcontent sends corrupt binary data when query string is present with CF11s isapi_redirect.dll |
| 5 | 3910257 | Instances in a cluster do not start after updating to CF 11 update 3 if J2EE session is enabled and the session replication is disabled. |
| 5 | 3695114 | WSDL Generation for CFC with wsversion=1 is very slow with Java 7 |
| 5 | 3832635 | CFC can't be exposed as WebService over SSL with Axis 2. The endpoint URL is not set correctly in the generated WSDL. |
| 5 | 3836992 | When a CFC is registered as a WebService, the URL used to register the service is case-sensitive. |
| 6 | APSB15-21 | Security fix |
That is 239 different "moving parts" that one needs to install along with this recent security "hotfix", which touch almost all the ColdFusion platform.
Applying this fix is not a small undertaking as far as regression testing burden goes, and I think it's bloody irresponsible for Adobe to a) release security hotfixes like this; b) downplay the severity of the undertaking by publicising it as a "lightweight software patch". This level of change is tantamount to a new ColdFusion release.
Also bear in mind that this is for ColdFusion 11 which has only had six updates so far. ColdFusion 10 is now up to 17 updates, so you can imagine the scale of risk involved in apply this "quick fix" to a ColdFusion 10 install.
There's an argument to be made that people ought to have kept up to date with the current patching levels, so this fix is indeed only one change, however this is not reflective of the way the industry tends to work... I mean to say there are still ColdFusion 5 servers out there in production! However if someone has previously not bothered patching their CF10 server, but know they could be affected by this Flash Remoting security hole, they have no choice but to install all these fixes.
This is a professionally irresponsible way for Adobe to go about releasing emergency security fixes for their software. They need to revise their approach here.
Righto.
--
Adam
