Adobe engineers have recently identified a couple of malicious utilities that appeared to be digitally signed with the use of a valid code signing certificate. As a result, the company plans to revoke the code signing certificate for Windows on October 4, 2012.
According to Brad Arkin, Adobe’s senior director of security, the revocation only affects three Adobe AIR apps and the Windows platform, and only a limited number of customers may need to take certain action. He reveals
that there is no evidence that any sensitive information has been compromised.
In a separate post
on Adobe’s Secure Software Engineering Team (ASSET) blog, Arkin explained that they identified a compromised build server with access to the code signing infrastructure.
“Our forensic investigation is ongoing. To date we have identified malware on the build server and the likely mechanism used to first gain access to the build server. We also have forensic evidence linking the build server to the signing of the malicious utilities,” he said.
One of the malicious utilities signed by the soon-to-be-revoked signing certificate is pwdump7 v7.1
– designed to extract password hashes from Windows. The second corrupted application is myGeeksmail.dll
, a malicious ISAP filter.
Jeff Hudson, CEO of Venafi – a certificate management company – has revealed for Softpedia the risks posed by certificate-based compromises.
“Certificate-based compromises are becoming as common as phishing attacks and malware infections. Adobe’s admission that one of its certificates has been hijacked is another example of why organizations that rely on this most basic trust technology need to have a strategy in place for quickly identifying, revoking and replacing them when they have been compromised,” he explained.
“Unfortunately, most organizations wait until a disaster strikes before taking action, hopefully this will serve as a wake-up call to all enterprises that there is simply no excuse for not having a remediation plan in place.”