Adobe Revoking Code Signing Certificate Used To Sign Malware 39
wiredmikey writes "Adobe said Thursday it will be revoking a code signing certificate next week after discovering two pieces of malware that had been digitally signed with Adobe's credentials.
Two malicious utilities, pwdump7 v7.1 and myGeeksmail.dll, both came from the same source and were signed with valid Adobe digital certificates, Adobe's Brad Arkin said.
Adobe plans to revoke the impacted certificate on Oct. 4. After initial investigation, the company identified a compromised build server which had been used to access the code signing infrastructure, Brad Arkin wrote in a blog post. The build server did not have rights to any public key infrastructure functions other than the ability to issue requests to the signing service and did not have access to any Adobe products such as Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR, Arkin said.
According to Adobe, most customers won't notice anything out of the ordinary during the certificate revocation process, but some IT administrators may have to take some actions in response."
Phew (Score:5, Funny)
did not have access to any Adobe products such as Flash Player, Adobe Reader
Phew, good thing that Flash Player and Acrobat Reader are still secure.
Most small business Windows admins by chance? (Score:1, Interesting)
" According to Adobe, most customers won't notice anything out of the ordinary during the certificate revocation process, but some IT administrators may have to take some actions in response."
Considering the fact that the malware associated with the use misuse of Adobe certs is either .exe or .dll binaries my guess is that the admins that will be most plagued by users not having access to some things all of a sudden will be mostly administering small Windows servers.
I would guess that a large number of smal
Re: (Score:2)
Re: (Score:2)
Most people I know use corel draw/photopaint or gimp or the ubiquitous microsoft paint program
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
hmm who is more evil,
Microsoft Apple Oracle or Adobe?
Re: (Score:2)
hmm who is more evil,
Microsoft Apple Oracle or Adobe?
Google obviously.
But instead of this stupid comment of yours, the real question is what will happen when this certificate is revoked? For example, apps on the App Store are signed with a digital certificate. I would expect any app signed with a revoked certificate to stop working, and I would expect Apple to revoke any certificate used to sign malware, which would _really_ give developers some motivation to keep their signing keys safe.
I wonder what (Score:4, Insightful)
Will we do when malware gets "legitimate" signatures for the new and secure "secure boot" we will have in all PC's from now on. I don't think such malware will be so easily removed, or even detected. As things stand, any legitamate use of UEFI's secure boot feature, even if one would be fool enough to believe in their "it improves security" falacy is bogus - and it will be bad(tm) when the root-kit, hyper-visor-level signed malware starts to strike the PC World.
Re: (Score:1)
it will be bad(tm) when the root-kit, hyper-visor-level signed malware starts to strike the PC World.
Natural selection at work. Those infected by hypervisor level rootkits will be those who blindly trusted secure boot.
Those of us smart enough to avoid it like the plague will be just fine.
In the meantime, if we're smart enough to create a network that intentionally excludes Secure Boot machines, we'll be able to *sell* access to the only Internet that still functions properly.
Re: (Score:1)
but 'Secure Boot' is precisely for those who blindly trust such things.
"Hey, if you want me to take a dump in a box and mark it guaranteed, I will."
Re: (Score:2)
And, oh genius, explain me how an S.O. that is running under an undetectable and undeletable hypervisor would be able to update the "UEFI blacklist"?
Incredible pathetic (Score:5, Insightful)
If signing certificates for code do not even get basic certificate protection (standard infrastructure, but offline, and signing machine does nothing else but sign builds), then code signatures become not only worthless, they get negative worth, because they imply security where there is none.
These people seem to still not have understood the basics of secure IT.
Re: (Score:2)
Don't worry, they've clearly learned... "Through this process we learned a great deal about current issues with code signing and the impact of the inappropriate use of a code signing certificate."
(Yes, they did actually say that. In public [adobe.com], amidst a deluge of smarmy understatement and the passive voice.)
Re: (Score:2)
Soooooo, they admit publicly to being incompetent? Incredible.
Have they ever heard of security consulting? Where you can pay people that get it to look at your processes and whether you are doing it right?
Re: (Score:2)
Don't worry, they've clearly learned... "Through this process we learned a great deal about current issues with code signing and the impact of the inappropriate use of a code signing certificate."
I know this makes for a great eyeball-rolling quote, but up until recently I think they genuinely didn't have anyone there who knew much about PKI and certificates. I've been involved in an Adobe-compatible PKI implementation and the impression I got from reading the contents of Adobe's spec was that it was some sort of cargo-cult cut&paste of bits and pieces from various actual standards by someone who'd read the introductory chapter of a book on PKI without really understanding any of it. In some cas
Re: (Score:2)
It is just a new low they have reached. Not protecting your certificates is about the most stupid mistake you can make.
Non denial denial (Score:1)
"Our investigation to date HAS SHOWN NO EVIDENCE that any other sensitive information"
A non-denial-denial there. Sloppy to see the PCs that code sign computers are all on the corporate network! A single employee could have done the same a lot easier if their internal security is so bad.
Perhaps they should GET THEIR SHIT TOGETHER at Adobe HQ?? Because I am so sick of their updates that seem to bring more security holes than they fix each time. Their endless broken PDF updates to fix security problems. Their
Why does it take a week to revoke a certificate. (Score:5, Insightful)
If I found that one of my PGP keys were compromised, I would revoke it in less than 5 minutes. Why does it take a week to revoke a code-signing certificate? How much more damage might occur in that week?
Re: (Score:1)
Have you ever thought that there are enterprises running security software on their system, which can have all the programs blocked if the certificate is found to be revoked? The spare days are to let the customers update to the new versions.
There is a huge difference between a mail signed with PGP and a software run on 5000 desktops in a big corporation.
Poor understanding of PKI/digital signing? (Score:1)
Obviously, Adobe has a big mess to clean up. But here's a question -- for those of you who are systems guys or work with them -- how well do IT people really understand PKI and how it relates to security? I think big messes like this could be minimized if this topic were better understood.
In my experience doing systems integration work, I take in lots of code from developers who know just barely enough about this to get their builds signed, and work with other systems guys who know just barely enough to get
The two pieces of malware (Score:2, Funny)
Two pieces of malware signed with Adobe keys, better known under their common names "Flash Player" and "Adobe Reader".
Also known in antivirus circles as W32/Flash and W32/AdobeReader.
Re: (Score:2)
Buzz! Adobe does have a plan. It's called shove it under the carpet until it costs us money. The problem is, it hasn't reached that point yet so they sure as hell wont change things. Unlike MS where it's "Developers, Developers, Developers" for Adobe it's "Money, Money, Money" as they don't even give a damn about profit so long as they get their pay. Corporate value? Not their problem. Security? Costs fucking money. Anything else? Costs money.