dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4775
share rss forum feed


MagnusM
Premium
join:2001-07-07

2 recommendations

Adobe's code signing certificate has been stolen

So it appears that a build server at Adobe was compromised, and the criminals managed to make off with a code-signing certificate bearing a shiny "Adobe Systems Inc." string.

The code signing certificate has already been utilized to sign malware. Adobe say they will shortly revoke the certificate and have it added to Verisign's certificate revocation list.

Full details at »blogs.adobe.com/asset/2012/09/in···ate.html
--
Mischel Internet Security - Developer of TrojanHunter


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

3 edits

1 recommendation

LOL

Sorry, I know it isn't really funny but Adobe seems to be be run by The Three Stooges Larry/Curly/Moe (pick one).

Actually:

Adobe = Larry
Sun = Curly
Microsoft = Moe

(feel free to change the order)

I usually check the Digital Certificates of stuff I download but I'm sure many don't.
--
Don't feed trolls--it only makes them grow!


Elite

join:2002-10-03
Orange, CT
reply to MagnusM
Poor Adobe. If Flash isn't getting exploited on 100s of thousands of consumer PCs, it's their build server.

Edit: punctuation
--
QUAD!!!!


MagnusM
Premium
join:2001-07-07
reply to MagnusM
Strangely, Adobe don't plan to revoke the certificate until October 4th. Not sure the reasoning behind this, but maybe the revokation process simply takes a number of days to complete.
--
Mischel Internet Security - Developer of TrojanHunter


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

1 recommendation

said by MagnusM:

Strangely, Adobe don't plan to revoke the certificate until October 4th. Not sure the reasoning behind this, but maybe the revokation process simply takes a number of days to complete.

Just guessing: they are identifying all Adobe software that was signed before the certificate was stolen and prepare updates for those software packages that are signed with a new certificate.
If they were issuing the certificate revocation first then owners of legitimate software would be negatively effected.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 recommendation

reply to MagnusM
Next time you bring news it is ok if it's good news.


MagnusM
Premium
join:2001-07-07
said by Name Game:

Next time you bring news it is ok if it's good news.

That's not how I roll!
--
Mischel Internet Security - Developer of TrojanHunter


MagnusM
Premium
join:2001-07-07

1 recommendation

reply to leibold
said by leibold:

Just guessing: they are identifying all Adobe software that was signed before the certificate was stolen and prepare updates for those software packages that are signed with a new certificate.

That's almost certainly it. Good call.
--
Mischel Internet Security - Developer of TrojanHunter


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

2 recommendations

reply to Name Game
quote:
Doctor Adobe: I have some good news and I have some bad news.
Patient User: What's the good news?
Doctor Adobe: The good news is that the tests you took showed that you have 24 hours to live.
Patient User: That's the good news? What's the bad news?
Doctor Adobe: The bad news is that I forgot to call you yesterday!

--
Don't feed trolls--it only makes them grow!


siljaline
I'm lovin' that double wide
Premium
join:2002-10-12
Montreal, QC
kudos:17
Reviews:
·Bell Sympatico
reply to MagnusM


chachazz
Premium
join:2003-12-14
kudos:9
Reviews:
·TELUS
reply to MagnusM


MagnusM
Premium
join:2001-07-07
reply to MagnusM
I received this feedback from Wiebke Lips at Adobe:

quote:
Please note that the certificate was NOT stolen. Adobe has stringent security measures in place to protect its code signing infrastructure. The private keys associated with the Adobe code signing certificates were stored in Hardware Security Modules (HSMs) kept in physically secure facilities. We confirmed that the private key associated with the Adobe code signing certificate was not extracted from the Hardware Security Module (HSM). For details, please refer to the blog post referenced above.

So it seems the malware files were signed by uploading them to the compromised build server, which then in turn signed the files. They private key itself was not actually accessed by the criminals. A post on twitter by Mikko Hypponen of F-Secure indicates that at least 5000 malware samples have been signed with this certificate, so the server must have been compromised for a while.
--
Mischel Internet Security - Developer of TrojanHunter


norwegian
Premium
join:2005-02-15
Outback
said by MagnusM:

So it seems the malware files were signed by uploading them to the compromised build server, which then in turn signed the files. They private key itself was not actually accessed by the criminals. A post on twitter by Mikko Hypponen of F-Secure indicates that at least 5000 malware samples have been signed with this certificate, so the server must have been compromised for a while.

How recent was this, has it been date stamped?
--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



MagnusM
Premium
join:2001-07-07
Seems the first tweet (»twitter.com/mikko/status/251429422807265280) was a bit unclear:

quote:
Our sample repository has 5127 files that have been signed with the compromised Adobe certificate. pic.twitter.com/t0o9M0YA

Today, he tweeted this update (»twitter.com/mikko/status/2514561···739648):

quote:
We have thousands of clean, official Adobe files signed with the compromised certificate. Only 3 bad files.

--
Mischel Internet Security - Developer of TrojanHunter


norwegian
Premium
join:2005-02-15
Outback

We have thousands of clean, official Adobe files signed with the compromised certificate. Only 3 bad files.

Interesting. 3 only, yet all 5127 were malware samples?
Something to be kept low key....

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



MagnusM
Premium
join:2001-07-07

1 recommendation

That confused me too at first, but I believe they store clean files in their sample repository, so there were 5127 files in total, 5124 of which were legitimate signed Adobe files and then 3 malware files.
--
Mischel Internet Security - Developer of TrojanHunter


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to norwegian
Adobe--it's all a Flash in the pan


norwegian
Premium
join:2005-02-15
Outback
reply to MagnusM
Understand that could be true too.

I was more curious of the date stamp anyway if known, whether it was 3 days or so ago or older. The rest was just insight into figures; which as you point out can be read many ways without the database facts that need to go with it.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
I doubt you'll find out much more info. Adobe will most likely keep the facts very close to their chest. The classic "nothing to see here... move along". That's how its handled these days.

A number of large US banks were attacked in the last week and almost all press releases said something to the effect

"We take security seriously and are constantly monitoring it"
"There was no effect on customer accounts"

blah blah blah...
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to MagnusM
Serial Number of the compromised Adobe certificate is 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88

»twitter.com/mikko/status/2514324···/photo/1

Security Advisory: Upcoming Revocation of Adobe code signing certificate

DETAILS

Adobe is investigating what appears to be the misuse of an Adobe code signing certificate. Adobe is aware at this time of two malicious utilities from a single source that appeared to be digitally signed using a valid Adobe code-signing certificate.

The first malicious utility is pwdump7 v7.1. This utility extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay.dll. The sample we received included the two files separate and individually signed.

PwDump7.exe:
MD5 hash: 130F7543D2360C40F8703D3898AFAC22

File size: 81.6 KB (83,648 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:40 PM PDT (GMT -7:00)

MD5 hash of file with signature removed: D1337B9E8BAC0EE285492B89F895CADB
libeay32.dll
MD5 hash: 095AB1CCC827BE2F38620256A620F7A4
File size: 999 KB (1,023,168 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:13 PM PDT (GMT -7:00)

MD5 hash of file with signature removed: A7EFD09E5B963AF88CE2FC5B8EB7127C

The second malicious utility, myGeeksmail.dll, appears to be a malicious ISAPI filter. Unlike the first utility, we are not aware of any publicly available versions of this ISAPI filter.

myGeeksmail.dll
MD5 hash: 46DB73375F05F09AC78EC3D940F3E61A
File size: 80.6 KB (82,624 bytes)
Signature timestamp: Wednesday, July 25, 2012 8:48:59 PM (GMT -7:00)

MD5 hash of file with signature removed: 8EA2420013090077EA875B97D7D1FF07

»www.adobe.com/support/security/a···-01.html


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
FYI the Adobe Flash Player 11.4.402.278 installers I have are signed with a certificate with the serial number 7e 28 2b 07 49 66 9b 59 5f 79 49 ff 06 13 4e 92.

Shockwave Player 11.6.7.637 uses 60 8a ad 6f 0d ed 59 8a b9 8c bf 81 18 7c 91 bb.

Acrobat Reader 9.5.x/X 10.1.4 both use 02 90 96 5e 91 33 40 cd a6 63 4c ef 31 f7 fd 07.

It appears Adobe uses a different certificate for every product.
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to MagnusM
Magnus you will love this one..they seem to be on a roll.

Are anti-virus companies companies regularly committing software piracy?

»security.stackexchange.com/quest···e-piracy
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


mazhurg
Premium
join:2004-05-02
Brighton, ON
Reviews:
·MTS
reply to Name Game

Certificate #

Version
said by Name Game:

Serial Number of the compromised Adobe certificate is 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88

That would be the code used to sign the flash player install V 11.4.400.252 (Windows 7 64 bits)


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
said by mazhurg:

That would be the code used to sign the flash player install V 11.4.400.252 (Windows 7 64 bits)

Thanks for the info.

Adobe may have signed later versions of Flash with a newer certificate since the one you posted expires on 12/14/2012.
--
Don't feed trolls--it only makes them grow!


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET
said by StuartMW:

Adobe may have signed later versions of Flash with a newer certificate since the one you posted expires on 12/14/2012.

Wouldn't the serial number be different on a renewed certificate ? With the software I'm using every certificate (regardless whether new or renewal) gets a unique serial number from the CA but I don't know if that is universal for all certificate authorities.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

3 edits

Flash Player 11.4.402.278 certificate
said by leibold:

Wouldn't the serial number be different on a renewed certificate ?

Um, it is.

»Re: Adobe's code signing certificate has been stolen

quote:
FYI the Adobe Flash Player 11.4.402.278 installers I have are signed with a certificate with the serial number 7e 28 2b 07 49 66 9b 59 5f 79 49 ff 06 13 4e 92.

And I said new (not renewed).

PS: Flash Player 11.4.402.278 was signed with a certificate that expires 10/1/2012. LOL. Clearly they aren't expecting that version to last long!
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to leibold
Also...

It is not public key stuff so the serial number would be the same for everyone who used the product in the time frame the cert was still valid and came with the download...just don't want people to start thinking every user would be getting a unique serial number for their own benefit.

It is a Web Server SSL Certificate

A Web Server SSL Certificate contains the following information:
The certificate holder's name,
The certificate's serial number and expiration date,
Copy of the certificate holder's public key,
The digital signature of the certificate-issuing authority.

»products.secureserver.net/produc···urbo.htm
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
said by Name Game:

...just don't want people to start thinking every user would be getting a unique serial number for their own benefit.

Yup.

In short if you download something that is digitally-signed with this certificate consider it suspect.

And that goes for Flash too
--
Don't feed trolls--it only makes them grow!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to MagnusM
Some more info.

quote:
This apparently only effects "the Windows platform" and "three Adobe AIR applications for both Windows and Macintosh".

»isc.sans.edu/diary/Adobe+certifi···th/14194
--
Don't feed trolls--it only makes them grow!

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

2 recommendations

reply to mazhurg
said by mazhurg:

said by Name Game:

Serial Number of the compromised Adobe certificate is 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88

so this explains the recent "strange" release of "new" adobe "flash player" installers, where the builds supposedly were identical but, strangely, they were given new build numbers, and without any new releasenotes..

i use adobe flash player 10.x.. build 10.3.183.23 had the compromised digital signature.. build 10.3.183.25 has a new, different digital signature..