Adobe is in damage control mode as the company aims to contain the risk from a compromised code signing certificate. The compromise is forcing the company to revoke the certificate.
"Adobe is aware at this time of two malicious utilities from a single source that appeared to be digitally signed using a valid Adobe code-signing certificate," Adobe warned in an advisory issued late Thursday.
The two malicious utilities are pwdump, which can be used to extract passwords from Windows and myGeeksmail, which is a malicious ISAPI filter.
How It Happened
As to how the Adobe certificate was compromised, Brad Arkin, senior director of Product Security and Privacy at Adobe noted in a blog post that Adobe identified a compromised build server with access to the Adobe code signing infrastructure.
According to Arkin, the compromised build server's configuration was not up to Adobe corporate standards.
"We are investigating why our code signing access provisioning process in this case failed to identify these deficiencies," Arkin stated. "The compromised build server did not have rights to any public key infrastructure (PKI) functions other than the ability to make code signing requests to the code signing service."
Adobe plans on revoking the compromised certificate on Oct 4. Arkin added that the flaw, "only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh."
Though Arkin's statement identifies only a limited number of Adobe applications at risk, Mikko Hypponen, chief research officer at F-Secure reported that over 5,000 files that were signed by Adobe's certificate. According to Adobe, the impacted certificate was issued in December 2010, and since then more than 5,000 files were signed using the certificate. With the exception of the three bad files Hypponen and Adobe highlighted, the other signing events were for legitimate Adobe software signed since December 2010. The revocation of the certificate is for software code signed after July 10, 2012, impacting only a much smaller portion of the total of more than 5,000 signed files.
Big Security Implications
Andrew Storms, director of security operations for nCircle, noted that the compromised Adobe certificate was signed on July 10, 2012, meaning that it's possible it has been used by malicious actors for several months.
"The implications of a breach this serious are staggering," Storms said. "Adobe will be cleaning up this mess for a long time."
Adobe is not the first and likely not the last vendor to be hit by a compromised certificate in recent years. In 2011, a major breach at Certificate Authority DigiNotar highlighted the issue of compromised certificates. That breach left dozens of high-profile organizations at risk, including Google and Mozilla.
"Certificate-based compromises are becoming as common as phishing attacks and malware infections," said Jeff Hudson, CEO of certificate management vendor Venafi. "Adobe's admission that one of its certificates has been hijacked is another example of why organizations that rely on this most basic trust technology need to have a strategy in place for quickly identifying, revoking and replacing them when they have been compromised."