Security Experts:

Adobe Revoking Code Signing Certificate Used To Sign Malware

Hackers Breached An Adobe Server To Gain Access To Code Signing Infrastructure

Adobe will be revoking a code signing certificate next week after discovering two pieces of malware that had been digitally signed with Adobe's credentials.

The malicious utilities, pwdump7 v7.1 and myGeeksmail.dll, both came from the same source and were signed with valid Adobe digital certificates, Brad Arkin, senior director of security for Adobe products and services, wrote on the Adobe Secure Software Engineering Team blog on Thursday. The company traced the certificates to a compromised build server, at which point the certification signing infrastructure was decommissioned, Arkin wrote.

Adobe Code Signing CertificateAdobe plans to revoke the impacted certificate on Oct. 4 for all software code signed after July 10. An interim service will resign affected products.

After initial investigation, the company identified a compromised build server which had been used to access the code signing infrastructure, Arkin wrote. The build server did not have rights to any public key infrastructure functions other than the ability to issue requests to the signing service and did not have access to any Adobe products such as Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR, Arkin said.

So far, Adobe has not seen any evidence of compromise related to any other sensitive information such as Adobe source code or customer, financial or employee data.

The revocation would only affect Adobe software signed with the affected certificate that runs on Windows, as well as three Adobe AIR applications (Adobe Muse, Adobe Story AIR, and Acrobat.com desktop services) that run on both Windows and Mac OS X, Arkin said.

The revocation will not impact any other Adobe software on Macs and other platforms.

Adobe is waiting till Oct. 4 to revoke the certificate to provide time for customers, especially administrators in managed environments, who may need to take action beforehand, Wiebke Lips, an Adobe spokesperson, told SecurityWeek.

The build server was infected with malware, which is probably how attackers gained access to the machine in the first place, Arkin said. It is likely the attackers gained access to another Adobe machine and "leveraged standard advanced persistent threat (APT) tactics" to access the build server, Arkin said.

When asked whether the certificates had been stolen, Lips said, "Definitely not!" The private keys associated with the Adobe code signing certificates were stored in Hardware Security Modules (HSMs) kept in physically secure facilities. Adobe has confirmed during the course of its investigation the private key associated with the Adobe code signing certificate was not extracted from the Hardware Security Module, Lips explained.

The "vast majority" of Adobe customers on Windows will not be affected. Adobe has seen the only two malicious utilities and the evidence indicates that the certificate was not used to sign widespread malware, Lips said.

The pwdump7 v 7.1 utility extracts password hashes from the Windows operating system and myGeeksmail.dll is a malicious ISAPI filter, according to the blog post. Adobe does not believe versions of the ISAPI filter are publicly available.

Adobe is currently re-signing applications using the interim service, which also has "offline human verification" to ensure that all files are valid Adobe products. The company is also in the process of deploying a "new, permanent signing solution."

System administrators should keep an eye out for security software updates to defend against these utilities, Arkin recommended. They can also create a Software Restriction Policy via Group Policy to disallow the execution of malicious utilities. Moving the impacted Adobe certificate to the Windows Untrusted Certificate Store does not appear to block these utilities from executing.

"Adobe does not recommend using the Untrusted Certificate Store in this situation," Arkin said.

According to Adobe, most customers won't notice anything out of the ordinary during the certificate revocation process, but some IT administrators may have to take some actions.

"A small number of customers, in particular administrators in managed Windows environments, may need to take certain action," Adobe said.

“Certificate-based compromises are becoming as common as phishing attacks and malware infections," Jeff Hudson, CEO of Venafi told SecurityWeek. "Adobe’s admission that one of its certificates has been hijacked is another example of why organizations that rely on this most basic trust technology need to have a strategy in place for quickly identifying, revoking and replacing them when they have been compromised.” 

“Unfortunately, most organizations wait until a disaster strikes before taking action, hopefully this will serve as a wake-up call to all enterprises that there is simply no excuse for not having a remediation plan in place,” Hudson added.

To determine if your organization is impacted, you can view the Security Certificates update page. 

Additional reporting by Mike Lennon

Related: Microsoft Certificate Was Used to Sign "Flame" Malware

Related: Comodo Certificates Used to Sign Banking Trojans in Brazil  

Related: CAs - A Means to Advanced Security, But Not the End  

Related: Microsoft Update Forces Min Certificate Key Length of 1024 Bits

Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.