is that enough to protect us until we can get the actual updates done?

Impossible to say for certain without all the info on each of the vulnerabilities patched, some of which is not public. Only Adobe could answer that. Blocking _cfclient and take it a step further by blocking all .cfc requests in IIS if possible is a good step though.

Right, Pete/ @foundeo. And Ross/ @salted, I didn't say (in my post) that adding that block would mitigate ALL the vulnerabilities fixed by the 3 cf updates these past 2 weeks. I'd said that for any that DO involve use of that _cfclient query string (shown in exploits by others), the block would cover ALL THOSE, rather than awaiting Adobe to address each such variant (starting with the update in March). Otherwise, yes, people should apply the updates. As Pete says, we have little detail from Adobe to go on.