[cryptography] Inappropriate Use of Adobe Code Signing Certificate

Jeffrey Walton noloader at gmail.com
Thu Sep 27 14:49:33 PDT 2012


http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html

We recently received two malicious utilities that appeared to be
digitally signed using a valid Adobe code signing certificate. The
discovery of these utilities was isolated to a single source. As soon
as we verified the signatures, we immediately decommissioned the
existing Adobe code signing infrastructure and initiated a forensics
investigation to determine how these signatures were created. We have
identified a compromised build server with access to the Adobe code
signing infrastructure. We are proceeding with plans to revoke the
certificate and publish updates for existing Adobe software signed
using the impacted certificate. This only affects the Adobe software
signed with the impacted certificate that runs on the Windows platform
and three Adobe AIR applications* that run on both Windows and
Macintosh. The revocation does not impact any other Adobe software for
Macintosh or other platforms.

Sophisticated threat actors use malicious utilities like the signed
samples during highly targeted attacks for privilege escalation and
lateral movement within an environment following an initial machine
compromise. As a result, we believe the vast majority of users are not
at risk.  We have shared the samples via the Microsoft Active
Protection Program (MAPP) so that security vendors can detect and
block the malicious utilities.

Customers should not notice anything out of the ordinary during the
certificate revocation process.  Details about what to expect and a
utility to help determine what steps, if any, a user can take are
available on the support page on Adobe.com.
...
_______________________________________________
cryptography mailing list
cryptography at randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE





More information about the cypherpunks-legacy mailing list