Last week, Adobe disclosed that its code signing service had been hacked. Luckily, the damage appears to be limited, but there are still a few things IT may have to do before Oct. 4.
A quick refresher: Code signing is the process of digitally signing the code of executables and scripts. Digital signatures certify that the code is legitimate and hasn’t been altered by anyone other than the author. Trusted code is issued a certificate that is encrypted with a private or public key, depending on the organization issuing the certificate.
Here’s the gist of what happened to Adobe: One of its build servers was infected with malware. That build server had access to Adobe’s code signing service. From there, the hackers requested legitimate digital signatures for their malicious code.
Basically, the hackers used Adobe’s credentials to sign their malware and make it appear to be legitimate Adobe code to Windows operating systems (and Mac OS X in some cases).
The certificate itself wasn’t stolen and neither was the private key associated with it.
Adobe believes most of its customers won’t be affected for two reasons: one) this sort of tactic is typically used to launch targeted attacks, and two) so far it appears the compromised certificate was used to sign only two pieces of malware.
All Adobe software code signed with the highjacked certificate after July 10, 2012, must be updated with a new certificate so it will run after the original certificate is revoked on Oct. 4.
Eventually, security vendors will be able to detect the malware signed with the highjacked certificate, but in the meantime, here’s a list of the software in need of updating:
- Flash Player
- Reader
- Adobe Application Manager – Enterprise Edition
- Adobe Provisioning Toolkit – Enterprise Edition
- Report Builder – Digital Marketing Suite
- SiteCatalyst Real-Time Dashboard – Digital Marketing Suite
- Adobe Update Server Setup Tool
- Flash Media Server 4.5.3
- ColdFusion 10, and
- Three Adobe AIR applications, Adobe Muse, Adobe Story AIR, and Acrobat.com desktop services (Windows and Mac OS X)
For more detailed information, see the following from Adobe: