Yesterday Adobe came out in a bog post stating an "inappropriate use of an Adobe code signing certificate for Windows". Apparently they discovered a "compromised build server with access to Adobe code signing infrastructure". (Which is corporate speak for "one of our servers was hacked".) They "immediately decommissioned the existing Adobe code signing infrastructure and initiated a forensics investigation to determine how these signatures were created". This apparently only effects "the Windows platform" and "three Adobe AIR applications for both Windows and Macintosh". I found a list of the applications involved, and how to update them on this page: http://helpx.adobe.com/x-productkb/global/certificate-updates.html. This update revocation will not occur until the 4th of October. (Next Thursday). The interesting section (to me at least) of this post is the middle section:
Naturally people are writing in to us asking what this impacts (see the first link above) and what happened, (the second link above). But there is one thing we are sure of, we don't know the extent of the damage, and hope there was nothing more compromised than what Adobe has found in their investigation. I know Brad Arkin and trust him, so I don't have any reason to doubt him and his team (who are very good, and work very hard by the way, I don't want anyone to get the wrong impression), but "you never know", I guess, is my point. Since I work for an IDS vendor, (Sourcefire, in the interest of full disclosure), our customers were very interested in the rules we released yesterday to cover this. So this is definitely on people's minds.
-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler
|
Joel 454 Posts Sep 28th 2012 |
Thread locked Subscribe |
Sep 28th 2012 9 years ago |
It's not always APT, as if calling it that provides an excuse for getting compromised. Somebody goofed along the way and the bad guys got in. Stuff happens, but don't make it worse by making excuses.
|
Ken 40 Posts |
Quote |
Sep 28th 2012 9 years ago |
The "interesting" part to me is how they say you don't have to do anything for Flash and Reader. Unless you're an administrator and you manage software.
Reading between the lines it sounds like Adobe is saying if you allow automatic updating you'll be fine. Otherwise you won't. So what happens when the certificate is revoked? Do you just get a warning when you try to install an old version? Or do all of your users get a warning when they try to run Adobe Reader or use Flash? The latter would really suck. |
Anonymous |
Quote |
Sep 28th 2012 9 years ago |
I guess we will be finding out next week?
|
Joel 454 Posts |
Quote |
Sep 28th 2012 9 years ago |
"Never ruin an apology with an excuse."
- Ben Franklin (... unless you're in marketing.) . |
Jack 160 Posts |
Quote |
Sep 28th 2012 9 years ago |
I tried to update a client's flash player this week and kept getting an invalid cert error. Had never seen that before. Did a bit of Googling and found a site that had a screenshot just like the dialog box I was seeing. (too bad I can't find it now). Was really confused until started seeing posts like this describing what was going on.
|
Bob Stangarone 9 Posts |
Quote |
Sep 29th 2012 9 years ago |
- http://nakedsecurity.sophos.com/2012/09/28/adobe-revokes-certificate-after-hackers-compromise-server-sign-malware/
Sep 28, 2012 - "... the issue appears to have been the result of hackers compromising a vulnerable build server. -Malware- seen using the digital signature includes pwdump7 v 7.1 (a utility that scoops up password hashes, and is sometimes used as a single file that statically links the OpenSSL library libeay32.dll). According to Adobe, the second malicious utility is myGeeksmail.dll, a malicious ISAPI filter..." . |
Jack 160 Posts |
Quote |
Sep 29th 2012 9 years ago |
Q: Why would someone break in to Adobe to use their certificate to sign a legitimate file like pwdump? (Yes, it has legitimate uses.)
A: Because the one that was signed had been modified somehow. Or perhaps anti-malware products will ignore digitally signed files. Anyway, that is my take. No one has said what those two files are doing malware-wise. Adobe has the samples. They need to tell us what they were doing. If a security company was using them in pen tests, this could be seriously bad. |
Anonymous |
Quote |
Sep 29th 2012 9 years ago |
@JJ: you can export the affected certificate from an older file and import it in the "Untrusted Certificates" store, and conduct tests right now. Make sure you import it in the _system_ section of the cert store (not in your personal section).
Such a "older file" can be obtained from, for example, http://helpx.adobe.com/flash-player/kb/archived-flash-player-versions.html I just downloaded the Flas player archive "(Released 6/21/2012) Flash Player 11.3.300.262 (35.1 MB)" (file: fp_11.3.300.262_archive.zip). All three executables in zip/fp_11.3.300.262_archive/11_3r300_262/ are signed with the certificate that will be revoked (Serial Nr. 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88). @Bob Stangarone: what you describe has nothing to do with the issue at hand. No certificate has been revoked yet. The interesting section (to me at least) of http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html is: "Our internal testing indicates that moving the impacted Adobe certificate to the Windows Untrusted Certificate Store does not block threat actors from executing the malicious utilities on a victim machine." Unfortunately this is correct. By default Windows (at least XP) does not check digitally signed binaries when you expect them to do that. Even an exe file just downloaded, and hence tagged as "blocked" (using an Alternate Data Stream), does not have it's signature checked when you first run it. |
Erik van Straten 129 Posts |
Quote |
Sep 30th 2012 9 years ago |
@JJ you ask why they wanted a signed pwdump. I believe the answer is: to attack a server that is protected by whitelisting which blocks execution of untrusted programs but accepts code signed by Adobe et.al.as trusted.
|
Erik van Straten 3 Posts |
Quote |
Oct 2nd 2012 9 years ago |
If you are interested in finding executables on your machines signed with this certificate, I've released a new digital signature tool that can help you with this:
blog.didierstevens.com/2012/10/01/searching-for-that-adobe-cert/ |
DidierStevens 641 Posts ISC Handler |
Quote |
Oct 2nd 2012 9 years ago |
Sign Up for Free or Log In to start participating in the conversation!