Security Advisory: Adobe to Revoke Code Signing Certificate

Brad Arkin's blog post as referenced above (Security Advisory: Adobe to Revoke Code Signing Certificate):

September 27, 2012

Adobe is currently investigating what appears to be the inappropriate use of an Adobe code signing certificate for Windows. We plan to revoke the impacted certificate on October 4, 2012 for all software code signed after July 10, 2012. Customers should not notice anything out of the ordinary during the certificate revocation process. Our investigation to date has shown no evidence that any other sensitive information—including Adobe source code or customer, financial or employee data—was compromised.

What does this mean for you?

The revocation of the certificate affects the Windows platform and three Adobe AIR applications* that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms. The vast majority of customers of Adobe software for Windows will also not be affected. A small number of customers, in particular administrators in managed Windows environments, may need to take certain action. To determine whether you or your organization are impacted, please refer to the support page on Adobe.com.

Is your Adobe software vulnerable because of this issue? No. This issue has no impact on the security of your genuine Adobe software. Are there other security risks to you? We have strong reason to believe that this issue does not present a general security risk. The evidence we have seen has been limited to a single isolated discovery of two malicious utilities signed using the certificate and indicates that the certificate was not used to sign widespread malware.

In addition to the revocation of the certificate, we have taken the following steps to protect all users and minimize the impact of the revocation of the certificate for our customers:

• We are working closely with the security community to allow security software providers, such as antivirus or intrusion detection and prevention vendors, to develop protections for customers to detect and protect from the inappropriately signed utilities.

• We are in the process of updating Adobe software by re-signing applications using a new code signing certificate to ensure existing product installations and new downloads continue to function without interruption.

• We are working diligently both internally and with external partners, including law enforcement, to gather data, examine our findings, and determine the appropriate course of action.

Adobe takes security very seriously, and we are committed to determining how the signatures misusing the Adobe code signing certificate were created given the stringent security measures in place to protect our certificate store and our infrastructure in general.

* Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services

http://blogs.adobe.com/conversations/2012/09/adobe-to-revoke-code-signing-certificate.html

Tanmay Ganacharya @ the Microsoft Malware Protection Center:

Last week, Adobe released an advisory (APSA12-01) announcing the upcoming revocation of an Adobe code signing certificate as it was compromised and used to sign at least two malicious utilities. They identified a compromised build server that required access to the code signing infrastructure and have forensic evidence that links it to the signing of these malicious utilities. They have confirmed that the private key was not compromised and this build server was used to sign the malicious utilities using the standard protocol used for valid Adobe software.

As a member of the Microsoft Active Protections Program (MAPP), the MMPC and other members received information about this compromise and immediately deployed protection for our customers - Win32/Adbposer. One of the primary goals of this attack is to evade antivirus and other security products as most of them have a feature/optimization to trust binaries signed by trusted certificates. The MMPC removed the compromised certificate from our trusted certificate list right away. For your protection please ensure that your virus definition version is greater than 1.137.689.0.

The malicious utilities include a tool used to dump passwords and a malicious ISAPI filter. Following are the details of the samples:

PwDump7.exe
SHA1: c615a284e5f3f41cf829bbb939f2503b39349c8d
Signature timestamp: Thursday, July 26, 2012 8:44:40 PM PDT (GMT -7:00)
Detected as PWS:Win32/Adbposer.A

libeay.dll
SHA1: 934543f9ecc28ebefbd202c8e98833c36831ea75
Signature timestamp: Thursday, July 26, 2012 8:44:13 PM PDT (GMT -7:00)
Detected as PWS:Win32/Adbposer.A.dll

myGeeksmail.dll
SHA1: fecb579abfbc74f7ded61169214349d203a34378
Signature timestamp: Wednesday, July 25, 2012 8:48:59 PM (GMT -7:00)
Detected as Trojan:Win32/Adbposer.B

Adobe has revoked the certificate today for all software code signed after July 10, 2012 and are also in the process of issuing updates signed using a new digital certificate for all affected products.

We have been tracking this issue very closely and the telemetry shows that this issue is not prevalent and is being used in highly targeted attacks only. We will continue to monitor for new malware leveraging this issue.

http://blogs.technet.com/b/mmpc/archive/2012/10/03/malware-signed-with-the-adobe-code-signing-certificate.aspx