Adobe Revoking Code Signing Certificate Used To Sign Malware 39
wiredmikey writes "Adobe said Thursday it will be revoking a code signing certificate next week after discovering two pieces of malware that had been digitally signed with Adobe's credentials.
Two malicious utilities, pwdump7 v7.1 and myGeeksmail.dll, both came from the same source and were signed with valid Adobe digital certificates, Adobe's Brad Arkin said.
Adobe plans to revoke the impacted certificate on Oct. 4. After initial investigation, the company identified a compromised build server which had been used to access the code signing infrastructure, Brad Arkin wrote in a blog post. The build server did not have rights to any public key infrastructure functions other than the ability to issue requests to the signing service and did not have access to any Adobe products such as Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR, Arkin said.
According to Adobe, most customers won't notice anything out of the ordinary during the certificate revocation process, but some IT administrators may have to take some actions in response."
I wonder what (Score:4, Insightful)
Will we do when malware gets "legitimate" signatures for the new and secure "secure boot" we will have in all PC's from now on. I don't think such malware will be so easily removed, or even detected. As things stand, any legitamate use of UEFI's secure boot feature, even if one would be fool enough to believe in their "it improves security" falacy is bogus - and it will be bad(tm) when the root-kit, hyper-visor-level signed malware starts to strike the PC World.
Incredible pathetic (Score:5, Insightful)
If signing certificates for code do not even get basic certificate protection (standard infrastructure, but offline, and signing machine does nothing else but sign builds), then code signatures become not only worthless, they get negative worth, because they imply security where there is none.
These people seem to still not have understood the basics of secure IT.
Why does it take a week to revoke a certificate. (Score:5, Insightful)
If I found that one of my PGP keys were compromised, I would revoke it in less than 5 minutes. Why does it take a week to revoke a code-signing certificate? How much more damage might occur in that week?