[cryptography] Inappropriate Use of Adobe Code Signing Certificate

Jeffrey Walton noloader at gmail.com
Tue Oct 9 20:22:49 EDT 2012


On Fri, Sep 28, 2012 at 8:13 AM, ianG <iang at iang.org> wrote:
> Thanks for that - for a security risk analysis I did last year, I've added
> it to a small history of attacks and similar events against PKI:
> http://wiki.cacert.org/Risk/History
You also have http://www.mozilla.org/security/announce/2006/mfsa2006-60.html:

"... Because the set of root Certificate Authorities that ship with
Mozilla clients contain some with an exponent of 3 it was possible to
make up certificates, such as SSL/TLS and email certificates, that
were not detected as invalid."

Jeff

> On 28/09/12 07:49 AM, Jeffrey Walton wrote:
>>
>> http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html
>>
>> We recently received two malicious utilities that appeared to be
>> digitally signed using a valid Adobe code signing certificate. The
>> discovery of these utilities was isolated to a single source. As soon
>> as we verified the signatures, we immediately decommissioned the
>> existing Adobe code signing infrastructure and initiated a forensics
>> investigation to determine how these signatures were created. We have
>> identified a compromised build server with access to the Adobe code
>> signing infrastructure. We are proceeding with plans to revoke the
>> certificate and publish updates for existing Adobe software signed
>> using the impacted certificate. This only affects the Adobe software
>> signed with the impacted certificate that runs on the Windows platform
>> and three Adobe AIR applications* that run on both Windows and
>> Macintosh. The revocation does not impact any other Adobe software for
>> Macintosh or other platforms.
>>
>> Sophisticated threat actors use malicious utilities like the signed
>> samples during highly targeted attacks for privilege escalation and
>> lateral movement within an environment following an initial machine
>> compromise. As a result, we believe the vast majority of users are not
>> at risk.  We have shared the samples via the Microsoft Active
>> Protection Program (MAPP) so that security vendors can detect and
>> block the malicious utilities.
>>
>> Customers should not notice anything out of the ordinary during the
>> certificate revocation process.  Details about what to expect and a
>> utility to help determine what steps, if any, a user can take are
>> available on the support page on Adobe.com.
>> ...



More information about the cryptography mailing list