dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
4686
share rss forum feed


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Name Game

Re: Adobe's code signing certificate has been stolen

FYI the Adobe Flash Player 11.4.402.278 installers I have are signed with a certificate with the serial number 7e 28 2b 07 49 66 9b 59 5f 79 49 ff 06 13 4e 92.

Shockwave Player 11.6.7.637 uses 60 8a ad 6f 0d ed 59 8a b9 8c bf 81 18 7c 91 bb.

Acrobat Reader 9.5.x/X 10.1.4 both use 02 90 96 5e 91 33 40 cd a6 63 4c ef 31 f7 fd 07.

It appears Adobe uses a different certificate for every product.
--
Don't feed trolls--it only makes them grow!



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to MagnusM

Magnus you will love this one..they seem to be on a roll.

Are anti-virus companies companies regularly committing software piracy?

»security.stackexchange.com/quest···e-piracy
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



mazhurg
Premium
join:2004-05-02
Brighton, ON
Reviews:
·MTS
reply to Name Game


Certificate #

Version
said by Name Game:

Serial Number of the compromised Adobe certificate is 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88

That would be the code used to sign the flash player install V 11.4.400.252 (Windows 7 64 bits)


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by mazhurg:

That would be the code used to sign the flash player install V 11.4.400.252 (Windows 7 64 bits)

Thanks for the info.

Adobe may have signed later versions of Flash with a newer certificate since the one you posted expires on 12/14/2012.
--
Don't feed trolls--it only makes them grow!


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

said by StuartMW:

Adobe may have signed later versions of Flash with a newer certificate since the one you posted expires on 12/14/2012.

Wouldn't the serial number be different on a renewed certificate ? With the software I'm using every certificate (regardless whether new or renewal) gets a unique serial number from the CA but I don't know if that is universal for all certificate authorities.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

3 edits


Flash Player 11.4.402.278 certificate
said by leibold:

Wouldn't the serial number be different on a renewed certificate ?

Um, it is.

»Re: Adobe's code signing certificate has been stolen

quote:
FYI the Adobe Flash Player 11.4.402.278 installers I have are signed with a certificate with the serial number 7e 28 2b 07 49 66 9b 59 5f 79 49 ff 06 13 4e 92.

And I said new (not renewed).

PS: Flash Player 11.4.402.278 was signed with a certificate that expires 10/1/2012. LOL. Clearly they aren't expecting that version to last long!
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to leibold

Also...

It is not public key stuff so the serial number would be the same for everyone who used the product in the time frame the cert was still valid and came with the download...just don't want people to start thinking every user would be getting a unique serial number for their own benefit.

It is a Web Server SSL Certificate

A Web Server SSL Certificate contains the following information:
The certificate holder's name,
The certificate's serial number and expiration date,
Copy of the certificate holder's public key,
The digital signature of the certificate-issuing authority.

»products.secureserver.net/produc···urbo.htm
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by Name Game:

...just don't want people to start thinking every user would be getting a unique serial number for their own benefit.

Yup.

In short if you download something that is digitally-signed with this certificate consider it suspect.

And that goes for Flash too
--
Don't feed trolls--it only makes them grow!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to MagnusM

Some more info.

quote:
This apparently only effects "the Windows platform" and "three Adobe AIR applications for both Windows and Macintosh".

»isc.sans.edu/diary/Adobe+certifi···th/14194
--
Don't feed trolls--it only makes them grow!

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

2 recommendations

reply to mazhurg

said by mazhurg:

said by Name Game:

Serial Number of the compromised Adobe certificate is 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88

so this explains the recent "strange" release of "new" adobe "flash player" installers, where the builds supposedly were identical but, strangely, they were given new build numbers, and without any new releasenotes..

i use adobe flash player 10.x.. build 10.3.183.23 had the compromised digital signature.. build 10.3.183.25 has a new, different digital signature..


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

Good point! I'd forgotten (or blocked) about that.
--
Don't feed trolls--it only makes them grow!



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to MagnusM

Want to search your system for files signed by the bad Adobe cert? Use any hex search tool to search for "15e5ac0a487063718e39da52301a0488"

Mikko Hypponen


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to MagnusM

Win 7 adobe certs...

»twitter.com/mikko/status/2527565···/1/large


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to MagnusM

So why hasn't Adobe done something about the expired cert? I downloaded the latest Flash Player from »www.adobe.com/products/flashplay···on3.html a few minutes ago. The cert was OUTDATED by 42 minutes when I downloaded the file.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

Yep, it would be.

quote:
PS: Flash Player 11.4.402.278 was signed with a certificate that expires 10/1/2012. LOL. Clearly they aren't expecting that version to last long!

»Re: Adobe's code signing certificate has been stolen
--
Don't feed trolls--it only makes them grow!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

So, because Adobe's cert was stolen they are not going to extend the signature for the current version of Flash Player for which the cert ended at 1:59:59PM?

How come Properties box/digital signature/details says the cert is "ok" even though it is expired and I downloaded Flash Player installer AFTER the cert's validity ended? So, does this mean that nothing about certs can be trusted?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

Does not work that way..

The company said the certificate will be re-issued on Oct. 4, but didn’t explain why it would take that long.

»mcaf.ee/vp0iy
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

2 edits

said by Name Game:

The company said the certificate will be re-issued on Oct. 4, but didn’t explain why it would take that long.

Well they said that about the compromised certificate. That is not the same certificate that was used for Flash Player 11.4.402.278.

I have no idea why Adobe chose to digital sign Flash Player 11.4.402.278 with a certificate that would expire a few weeks later.

BTW to answer Mele20 See Profile's question the message says This digital signature is ok. The fact the the certificate used to create the signature is now expired doesn't affect the signature. The signature would not be ok if the package was altered (and it wasn't).
--
Don't feed trolls--it only makes them grow!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game

From your link:

"The three affected applications are Adobe Muse, Adobe Story AIR applications, and Acrobat.com desktop services."

Flash Player wasn't involved. That article is irrelevant as far as to why Adobe has allowed the code signing cert for the CURRENT Flash Player to lapse today.

OT but what is that weird address you used? If ANYBODY but YOU had posted shit like that I would not have gone there. Post a normal address please in the future.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to StuartMW

said by StuartMW:

...I have no idea why Adobe chose to digital sign Flash Player 11.4.402.278 with a certificate that would expire a few weeks later.

Maybe it's a new way to overcome user resistance and compel installation of their frequent security updates. As you noted earlier:
quote:
Clearly they aren't expecting that version to last long!
Adobe is a lot like fresh bread... in a few days, whatever you have today will be stale or moldy.
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

reply to Mele20

said by Mele20:

From your link:
That article is irrelevant as far as to why Adobe has allowed the code signing cert for the CURRENT Flash Player to lapse today.

Agreed. As to why Adobe chose to use a soon-to-expire certificate--who knows. But as I showed above they use multiple certificates. Again I'm not sure why. Different divisions within the company perhaps. Or maybe they use randomly selected certificates to match their randomly generated programming
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

Trusted root certificates that are required by Windows 2000, by Windows XP, and by Windows Server 2003

Some certificates that are listed in the previous tables have expired. However, these certificates are necessary for backward compatibility. Even if there is an expired trusted root certificate, anything that was signed by using that certificate before the expiration date requires that the trusted root certificate be validated. As long as expired certificates are not revoked, they can be used to validate anything that was signed before their expiration.

For more information about how to remove root certificates from the store, click the following article number to view the article in the Microsoft Knowledge Base:
293819 How to remove a root certificate from the Trusted Root Store

»support.microsoft.com/kb/293781
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to StuartMW

Aside from Adobe's motives, or whatever with them, why does the Properties box claim the cert is "OK" when I downloaded Flash Player installer AFTER the expiration time today? The cert is NOT "OK" and that is a bit scary that the Properties box claims otherwise.

As for Adobe using multiple certs with different expiration dates for the same Flash Player version that is crazy and certainly not of benefit to the user. (But then since when has Adobe been concerned with benefiting the user)?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Name Game

said by Name Game:

As long as expired certificates are not revoked, they can be used to validate anything that was signed before their expiration.

Yup, but IMO it's bad practice to use a certificate that will expire within weeks. But as Blackbird See Profile said that version of Flash would be stale/moldy by then anyway.
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to MagnusM

I would assume if you were on a sever and the IT guys had it set up..you might not be able to install it or would get a warning.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit
reply to Mele20

said by Mele20:

The cert is NOT "OK" and that is a bit scary that the Properties box claims otherwise.

I posted the explanation of that above. The message didn't say the cert was ok it said the signature was ok! They're different things.

cert ==> use to create digital signature

cert != digital signature
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

3 edits
reply to Mele20

my cert for the google chrome adobe flash does not expire until dec 2012 as I recall.

It is a 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 which is a compromised cert... I could care less since we already know the files out there in the wild that used this cert and they certainly are not adobe stuff..



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit
reply to Mele20

said by Mele20:

As for Adobe using multiple certs with different expiration dates for the same Flash Player version that is crazy...

+100



--
Don't feed trolls--it only makes them grow!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

reply to Name Game

I figured it out. I didn't pay enough attention to the fact there is a countersigner to the Adobe digital signature that has expired. The countersigner is Symantec Time Stamping Countersigner and it doesn't expire until December 31, 2012.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit

Purpose for that one is to attest the thing was signed with the current time.

The adobe cert purpose was to..

. Ensures software came from the software publisher
and
. Protects the software from alteration after publication