Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Adobe Revoking Code Signing Certificate Used To Sign Malware

samzenpus posted about 2 years ago | from the not-allowed dept.

Security 39

wiredmikey writes "Adobe said Thursday it will be revoking a code signing certificate next week after discovering two pieces of malware that had been digitally signed with Adobe's credentials. Two malicious utilities, pwdump7 v7.1 and myGeeksmail.dll, both came from the same source and were signed with valid Adobe digital certificates, Adobe's Brad Arkin said. Adobe plans to revoke the impacted certificate on Oct. 4. After initial investigation, the company identified a compromised build server which had been used to access the code signing infrastructure, Brad Arkin wrote in a blog post. The build server did not have rights to any public key infrastructure functions other than the ability to issue requests to the signing service and did not have access to any Adobe products such as Flash Player, Adobe Reader, Shockwave Player, or Adobe AIR, Arkin said. According to Adobe, most customers won't notice anything out of the ordinary during the certificate revocation process, but some IT administrators may have to take some actions in response."

cancel ×

39 comments

Sorry! There are no comments related to the filter you selected.

Phew (5, Funny)

amicusNYCL (1538833) | about 2 years ago | (#41483979)

did not have access to any Adobe products such as Flash Player, Adobe Reader

Phew, good thing that Flash Player and Acrobat Reader are still secure.

Re:Phew (-1)

Anonymous Coward | about 2 years ago | (#41484107)

I'm ready to accept your seed. Do it! Shoot it all into my gaping asshole!

Most small business Windows admins by chance? (1, Interesting)

Anonymous Coward | about 2 years ago | (#41484055)

" According to Adobe, most customers won't notice anything out of the ordinary during the certificate revocation process, but some IT administrators may have to take some actions in response."

Considering the fact that the malware associated with the use misuse of Adobe certs is either .exe or .dll binaries my guess is that the admins that will be most plagued by users not having access to some things all of a sudden will be mostly administering small Windows servers.
I would guess that a large number of small businesses that run some form of win server will have kittens if they have implemented the lax user security policies that most MS certified pimple faced admins use by default.

Re:Most small business Windows admins by chance? (2)

philofaqs (668524) | about 2 years ago | (#41484237)

Wondered how long it would take for someone to try to implicate MS, well done.

Re:Most small business Windows admins by chance? (0)

Anonymous Coward | about 2 years ago | (#41484399)

Wondered how long it would take for someone to try to implicate MS, well done.

Blame Adobe they started it!

"Adobe is currently investigating what appears to be the inappropriate use of an Adobe code signing certificate for Windows. We plan to revoke the impacted certificate on October 4, 2012 for all software code signed after July 10, 2012. Customers should not notice anything out of the ordinary during the certificate revocation process. Our investigation to date has shown no evidence that any other sensitive information—including Adobe source code or customer, financial or employee data—was compromised.

Please RTFA please before posting...oh this is /. y are forgiven.

Remember now... "We All Hate Adobe". (0)

Anonymous Coward | about 2 years ago | (#41484089)

It's why just about everyone has a copy of Photoshop.

Re:Remember now... "We All Hate Adobe". (1)

lister king of smeg (2481612) | about 2 years ago | (#41484311)

Most people I know use corel draw/photopaint or gimp or the ubiquitous microsoft paint program

Re:Remember now... "We All Hate Adobe". (1)

Tetch (534754) | about 2 years ago | (#41484663)

I still use PaintShop Pro V6 when on Windows - it does everything I need, and I will never need anything "better" - especially not some dodgy backstreet edition of Adobe Photoshop. Just FYI.

Re:Remember now... "We All Hate Adobe". (1)

wonkey_monkey (2592601) | about 2 years ago | (#41485647)

Yay, it's anecdote Top Trumps, Slashdot's favourite game! I use Photoshop and everyone I know uses Photoshop!

Adobe, Adobe, Adobe... (0)

Anonymous Coward | about 2 years ago | (#41484125)

People have been shot for less than this.

Re:Adobe, Adobe, Adobe... (1)

lister king of smeg (2481612) | about 2 years ago | (#41484323)

hmm who is more evil,
Microsoft Apple Oracle or Adobe?

Re:Adobe, Adobe, Adobe... (0)

Anonymous Coward | about 2 years ago | (#41484599)

Google

Re:Adobe, Adobe, Adobe... (0)

Anonymous Coward | about 2 years ago | (#41485461)

Richard Stallman

Re:Adobe, Adobe, Adobe... (1)

gnasher719 (869701) | about 2 years ago | (#41485683)

hmm who is more evil,
Microsoft Apple Oracle or Adobe?

Google obviously.

But instead of this stupid comment of yours, the real question is what will happen when this certificate is revoked? For example, apps on the App Store are signed with a digital certificate. I would expect any app signed with a revoked certificate to stop working, and I would expect Apple to revoke any certificate used to sign malware, which would _really_ give developers some motivation to keep their signing keys safe.

I wonder what (3, Insightful)

Pope Raymond Lama (57277) | about 2 years ago | (#41484321)

Will we do when malware gets "legitimate" signatures for the new and secure "secure boot" we will have in all PC's from now on. I don't think such malware will be so easily removed, or even detected. As things stand, any legitamate use of UEFI's secure boot feature, even if one would be fool enough to believe in their "it improves security" falacy is bogus - and it will be bad(tm) when the root-kit, hyper-visor-level signed malware starts to strike the PC World.

Re:I wonder what (1)

Anonymous Coward | about 2 years ago | (#41484517)

it will be bad(tm) when the root-kit, hyper-visor-level signed malware starts to strike the PC World.

Natural selection at work. Those infected by hypervisor level rootkits will be those who blindly trusted secure boot.
Those of us smart enough to avoid it like the plague will be just fine.
In the meantime, if we're smart enough to create a network that intentionally excludes Secure Boot machines, we'll be able to *sell* access to the only Internet that still functions properly.

Re:I wonder what (1)

Anonymous Coward | about 2 years ago | (#41484695)

but 'Secure Boot' is precisely for those who blindly trust such things.

"Hey, if you want me to take a dump in a box and mark it guaranteed, I will."

Re:I wonder what (0)

Anonymous Coward | about 2 years ago | (#41485735)

Wonder no more. The answer is easy: Microsoft will distribute an update to the UEFI blacklist via Windows Update to most computers in the world. And offline computers are not really threatened by malware. So the end of the world will not happen.

Re:I wonder what (1)

Pope Raymond Lama (57277) | about 2 years ago | (#41486469)

And, oh genius, explain me how an S.O. that is running under an undetectable and undeletable hypervisor would be able to update the "UEFI blacklist"?

Incredible pathetic (5, Insightful)

gweihir (88907) | about 2 years ago | (#41484491)

If signing certificates for code do not even get basic certificate protection (standard infrastructure, but offline, and signing machine does nothing else but sign builds), then code signatures become not only worthless, they get negative worth, because they imply security where there is none.

These people seem to still not have understood the basics of secure IT.

Re:Incredible pathetic (1)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#41485093)

Don't worry, they've clearly learned... "Through this process we learned a great deal about current issues with code signing and the impact of the inappropriate use of a code signing certificate."

(Yes, they did actually say that. In public [adobe.com] , amidst a deluge of smarmy understatement and the passive voice.)

Re:Incredible pathetic (1)

gweihir (88907) | about 2 years ago | (#41488499)

Soooooo, they admit publicly to being incompetent? Incredible.

Have they ever heard of security consulting? Where you can pay people that get it to look at your processes and whether you are doing it right?

Re:Incredible pathetic (1)

arglebargle_xiv (2212710) | about 2 years ago | (#41498295)

Don't worry, they've clearly learned... "Through this process we learned a great deal about current issues with code signing and the impact of the inappropriate use of a code signing certificate."

I know this makes for a great eyeball-rolling quote, but up until recently I think they genuinely didn't have anyone there who knew much about PKI and certificates. I've been involved in an Adobe-compatible PKI implementation and the impression I got from reading the contents of Adobe's spec was that it was some sort of cargo-cult cut&paste of bits and pieces from various actual standards by someone who'd read the introductory chapter of a book on PKI without really understanding any of it. In some cases the Adobe spec requires that you literally do the exact opposite of what the standards require, and in other cases it's just a garbled muddle of different bits of different standards. So when they say, in effect, "we've had to learn a great deal about PKI", then that's probably quite literally true.

Re:Incredible pathetic (0)

Anonymous Coward | about 2 years ago | (#41485473)

These people seem to still not have understood the basics of secure IT.

You must be new here, this is Adobe we're talking about -- Did you expect any different?!

Re:Incredible pathetic (1)

gweihir (88907) | about 2 years ago | (#41488515)

It is just a new low they have reached. Not protecting your certificates is about the most stupid mistake you can make.

Non denial denial (1)

Anonymous Coward | about 2 years ago | (#41484989)

"Our investigation to date HAS SHOWN NO EVIDENCE that any other sensitive information"

A non-denial-denial there. Sloppy to see the PCs that code sign computers are all on the corporate network! A single employee could have done the same a lot easier if their internal security is so bad.

Perhaps they should GET THEIR SHIT TOGETHER at Adobe HQ?? Because I am so sick of their updates that seem to bring more security holes than they fix each time. Their endless broken PDF updates to fix security problems. Their inability to get their shit together with Android, did they even check with their customers before deciding to cancel it?

It all smacks of a few incompetent programmers, and a few lazy managers.

Easy Fix (0)

Anonymous Coward | about 2 years ago | (#41486183)

HTML5 instead of Flash
evince instead of Acrobat Reader
Gimp instead of Photoshop
Then there are Scribus, SVG, Inkscape and lots more.

Why does it take a week to revoke a certificate. (4, Insightful)

DERoss (1919496) | about 2 years ago | (#41485197)

If I found that one of my PGP keys were compromised, I would revoke it in less than 5 minutes. Why does it take a week to revoke a code-signing certificate? How much more damage might occur in that week?

This Is a Bunch of Programer-Whores (0)

Anonymous Coward | about 2 years ago | (#41486197)

They only care about $$. Security is just a nuisance. And a Cost Center.

Re:Why does it take a week to revoke a certificate (1)

Anonymous Coward | about 2 years ago | (#41497633)

Have you ever thought that there are enterprises running security software on their system, which can have all the programs blocked if the certificate is found to be revoked? The spare days are to let the customers update to the new versions.
There is a huge difference between a mail signed with PGP and a software run on 5000 desktops in a big corporation.

Poor understanding of PKI/digital signing? (1)

Anonymous Coward | about 2 years ago | (#41485383)

Obviously, Adobe has a big mess to clean up. But here's a question -- for those of you who are systems guys or work with them -- how well do IT people really understand PKI and how it relates to security? I think big messes like this could be minimized if this topic were better understood.

In my experience doing systems integration work, I take in lots of code from developers who know just barely enough about this to get their builds signed, and work with other systems guys who know just barely enough to get the web server to run the code without throwing up error messages in the browser. I've had to learn a fair amount about this topic because I've been called in to fix more than one mess. Nothing like this level, but still bad. (We get called in when the other people in our fairly large organization can't figure something out.)

The problem is that while the theory is pretty intuitive, practice is spotty, error-prone and differs radically between OS vendor and even OS version. On top of that, some applications have their own layer of certificate security on top of the base OS one, further leading to confusion. And, it's a strange topic because it's admittedly hard to understand something like "I trust this application because some magic algorithm controlled by the data in this 1K file was passed over the executable. And I trust that 1K file because it links to a chain is similar files all the way up to VeriSign, GoDaddy, etc."

Even making sure admins of small organizations know things like "When you generate your org's root certificates and private keys, shut off the machine, bury it in concrete and never let it near a network connection again!" would help avoid some of the worst problems. Didn't one of the global root certificate authorities get compromised last year? How should that have even been possible? Just stuff like, "By the way, it's a really bad thing if someone else can digitally sign software on your behalf, and you need to stop it right away if you notice it." might spur some systems guys and developers to do something.

The Average Corporate Drone (0)

Anonymous Coward | about 2 years ago | (#41486225)

..should never do the things you described. The average drone should not write software. Neither should he or she administer computers.

It is a fallacy to think that drones can do all that. All they do is to create safes without locks, buildings without doors and nuclear weapons which go off randomly.

When IT was done by professionals in the "data center" they knew what they did and most of them had a proper education. Nowadays droners who also want to become managers before they ever held a real job with any real proficiency. So they waste their time with all sorts of bullshit (e.g. learning how to make juicy powerpoint presentations) and then they also do some programming and fumble with systems design.

Take away their PCs and give them a mainframe terminal. Hire experts to do hard work in the data center. Forget the idea that all sorts of amateurs "can do software". It is about as rational as saying "amateurs can design rocket motors".

The two pieces of malware (2, Funny)

Anonymous Coward | about 2 years ago | (#41485869)

Two pieces of malware signed with Adobe keys, better known under their common names "Flash Player" and "Adobe Reader".

Also known in antivirus circles as W32/Flash and W32/AdobeReader.

questions questions questions (0)

Anonymous Coward | about 2 years ago | (#41485993)

Is it going to fuck up my existing apps?
Is it going to have to be debugged after it fucks up?
Is the patch going to be a single exe file, or will we need to dig into the certificates, the registry, the directories, the files, the reboots and the lack of any confirmation anything at all has been fixed.

Certainly It Will Fuck up Something (0)

Anonymous Coward | about 2 years ago | (#41486239)

..but probably not the APIs. After all, the crypto keys for protecting the code is affected, not the code itself.

Maybe you should educate yourself as to how this all works. You could start by creating your own GPG cert and then sign your own executables with it. And no, there are no funny GUIs with dancing bunnies available for that. You need to spend serious time reading and experimenting. No instant gratification.

Bruce Schneier's Applied Cryptography is also a good starting point to get a conceptual understanding.

Hdhd (0)

Anonymous Coward | about 2 years ago | (#41486443)

Dufu

Adobe Management = FAILURE (0)

Anonymous Coward | about 2 years ago | (#41486605)

Adobe Management has been failing their clients for years.

Nobody should be using anything from this company unless you make money with it. Period.

Further, anyone currently useing anything from Adobe should be actively seeking alternatives.

Microsoft management saw similar issues with their products around the same time that Adobe management knew about the security flaws in all their programs. Microsoft revamped how they develop code and are doing much more than just "trying to do better." MS had/has a plan.

Adobe management doesn't seem to have a plan. They won't make the hard choices to revamp their products with security as a top goal. Flash should have been completely revamps - it is crap code, full of security issues. Closing 10% would break backwards compatibility, so Adobe won't do it. Think of all those mom-pop tiny web stores with flash that we all hate. All of those would need to be redone.

Adobe management - I plead that you'll do the right things. Fix your development processes. Lock down your certificate management. You know you should. Just do it already.

Re:Adobe Management = FAILURE (1)

fast turtle (1118037) | about 2 years ago | (#41490201)

Buzz! Adobe does have a plan. It's called shove it under the carpet until it costs us money. The problem is, it hasn't reached that point yet so they sure as hell wont change things. Unlike MS where it's "Developers, Developers, Developers" for Adobe it's "Money, Money, Money" as they don't even give a damn about profit so long as they get their pay. Corporate value? Not their problem. Security? Costs fucking money. Anything else? Costs money.

Adobe known for security? (0)

Anonymous Coward | about 2 years ago | (#41486749)

Adobe Flash player is one of the most exploited programs on the internet, so this doesn't really seem to be much of a surprise that their other security infrastructure is lacking.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>