Macromedia has revealed two large security holes in its software and ColdFusion developer language. It urges all its customers to download and install its latest patches.
The first is described by the company as a "moderate" risk and affects all Mac OS X versions of its latest MX software. The issue is in the e-licensing part of its installation software. If the software is installed on machines with several users, it is possible for one user to get hold of the privileges of another.
This affects all Macromedia's software including Flash MX, Dreamweaver MX, Studio MX and Fireworks MX. A patch is available here.
The second is more important and affects ColdFusion MX and JRun. Described by Macromedia as "critical", it concerns how the software handles SOAP requests (an XML standard for web services messages). Due to an unspecified error, a specially constructed SOAP message can be used to eat up available CPU and memory and so act as a denial of service attack. ColdFusion MX 6.0 and 6.1 and JRun 4.0 are all affected.
Macromedia has produced a patch (available here) to fix the problem.