Adobe said today it will revoke a code signing certificate after discovering malware that was digitally signed with the certificate.
"Adobe is currently investigating what appears to be the inappropriate use of an Adobe code signing certificate for Windows," Brad Arkin, senior director of security at Adobe, wrote in a blog post. "We plan to revoke the impacted certificate on October 4, 2012 for all software code signed after July 10, 2012."
"The evidence we have seen has been limited to a single isolated discovery of two malicious utilities signed using the certificate and indicates that the certificate was not used to sign widespread malware," Arkin added. There is no evidence at this time that "any other sensitive information -- including Adobe source code or customer, financial or employee data -- was compromised."
Basically, someone was able to get access to a so-called "build" server used for developing Adobe software and from there sent a request to an Adobe code signing server, Adobe spokeswoman Wiebke Lips told CNET. The code signing certificate was used to digitally sign, or authenticate, the malware as coming from Adobe. This means that the malware could masquerade as a legitimate Adobe program, but Lips said this was not done.
Adobe received the malware samples from a "single, isolated source (unnamed)," according to Lips.
Asked why Adobe was waiting until next week to revoke the certificate, Lips said that will provide time for administrators to take prepare their systems.
In a separate blog post intended for engineers, Arkin added:
The discovery of these utilities was isolated to a single source. As soon as we verified the signatures, we immediately decommissioned the existing Adobe code signing infrastructure and initiated a forensics investigation to determine how these signatures were created. We have identified a compromised build server with access to the Adobe code signing infrastructure....
Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise. As a result, we believe the vast majority of users are not at risk. We have shared the samples via the Microsoft Active Protection Program (MAPP) so that security vendors can detect and block the malicious utilities.
The first piece of malware, "pwdump7 v7.1," was a utility that extracts password hashes from the Windows operating system. The other, "myGeeksmail.dll," was a Internet Server Application Programming Interface (ISAPI) filter, the post says. More details are in the Adobe security advisory.
The revocation will affect the Windows platform and Adobe Muse and Adobe Story AIR applications, as well as Acrobat.com desktop services that run on both Windows and Macintosh. There is no risk from legitimate Adobe software, he said.
"The vast majority of customers of Adobe software for Windows will also not be affected," Arkin wrote. "A small number of customers, in particular administrators in managed Windows environments, may need to take certain action. To determine whether you or your organization are impacted, please refer to the support page on Adobe.com."
Adobe's investigation was triggered when it received a sample of the first piece of malware on Sept. 12, Arkin said in a tweet. "The three known bad files signed with the impacted cert occurred on 25 & 26 July 2012," he wrote in a subsequent tweet.
Adobe said it is working with security companies to develop tools for detecting and protecting against inappropriately signed software, as well as updating Adobe software by re-signing applications using a new code signing certificate to make sure existing software installations and new downloads are not interrupted.
A Microsoft spokeswoman provided this comment: "Microsoft will take the appropriate action to help protect its customers," and said people should contact Adobe for more information.
Updated 6:07 p.m. PT to clarify headline and first paragraph that Adobe certificate affected only and 4:20 p.m. PT with more details from Arkin tweets and spokeswoman, and Microsoft comment and 2:20 p.m. PT to correct that malware was not masquerading as Adobe software and provide more details