A recent Adobe blog reported that one of its code-signing security certificates had validated malicious code.
This episode puts the security-certificate system under the spotlight once again, and it should prompt many of us to check the status of our Adobe software.
What we know so far about the break-in
A Sept. 27 Adobe Secure Software Engineering Team Blog post stated that Adobe had “received two malicious utilities that appeared to be digitally signed using a valid Adobe code-signing certificate.” The security certificate was intended for some of Adobe’s Windows apps and three AIR apps for Windows and Mac. Adobe will soon revoke the certificate and send out updates for the related apps.
Put simply, if the malicious apps were installed on a PC, Adobe’s certificate server would approve them as valid Adobe software. One of the apps is a password-cracking tool; the other is a website filter.
The Adobe post goes on to state that the compromised server had no access to Adobe source code and, in particular, no access to Adobe’s Flash Player, Adobe Reader, Shockwave Player, or Adobe Air. There’s also no evidence that source code was stolen — which is small comfort for us, I suppose.
A Sept. 28 Threatpost blog notes that Adobe has not revealed how the attackers were able to plant malware on its systems — only that those who broke in eventually found their way to an Adobe build server that gave them access to the certificate system. This attack was somewhat unusual because the attackers “weren’t so much interested in Adobe’s corporate assets or source code but rather the company’s reputation. They wanted the authority that came along with having their utilities signed with a legitimate Adobe certificate.”
The Adobe blog does reveal that one malicious piece of software is pwdump7 v7.1., a utility that extracts password hashes from Windows. The other malicious software is myGeesmail.dll, a malicious ISAPI (Wikipedia definition) Web filter used in servers.