Bit9 has acknowledged that its network was recently breached, and its own certificates were used to infect at least three of its customers with malware.
"Due to an operational oversight within Bit9, we failed to install our own product on a handful of computers within our network," Bit9 president and CEO Patrick Morley wrote in a blog post. "As a result, a malicious third party was able to illegally gain temporary access to one of our digital code-signing certificates that they then used to illegitimately sign malware."
"That last bit is extremely important, because Bit9 is a default trusted publisher in their software, which runs on customer PCs and networks as an 'agent' that tries to intercept and block applications that are not on the approved whitelist," writes Krebs on Security's Brian Krebs. "The upshot of the intrusion is that with a whitelist policy applied to a machine, that machine will blindly trust and run anything signed by Bit9."
"The malware signed with the certificates stolen from the company has been used against three of their customers," writes Softpedia's Eduard Kovacs. "As soon as the breach was discovered, Bit9 revoked the compromised certificate. In addition, steps have been taken to ensure that all the machines from the firm’s network, both virtual and physical, benefit from proper protection. While there’s no evidence that their products have been compromised, Bit9 is preparing a patch to automatically detect and neutralize malicious elements that illegally use the digital certificate."
"A Bit9 spokesman declined to identify the victims, describe the capabilities of the malicious software used in the attacks or say if the hackers had succeeded in harming its clients," writes Reuters' Jim Finkle.
"The incident is an important reminder that there are significant limitations to the type of security service Bit9 provides," writes Ars Technica's Dan Goodin. "'Whitelisting does not tell if software is benign, malicious, or even exploitable,' Randy Abrams, research director of Bit9 competitor NSS Labs, wrote in an e-mail to Ars. 'It tells you that the application was approved.'"