MagnusM Premium Member join:2001-07-07
1 recommendation |
to norwegian
Re: Adobe's code signing certificate has been stolenThat confused me too at first, but I believe they store clean files in their sample repository, so there were 5127 files in total, 5124 of which were legitimate signed Adobe files and then 3 malware files. |
|
norwegian Premium Member join:2005-02-15 Outback |
norwegian
Premium Member
2012-Sep-28 10:30 am
Understand that could be true too.
I was more curious of the date stamp anyway if known, whether it was 3 days or so ago or older. The rest was just insight into figures; which as you point out can be read many ways without the database facts that need to go with it. |
|
|
StuartMW
Premium Member
2012-Sep-28 10:37 am
I doubt you'll find out much more info. Adobe will most likely keep the facts very close to their chest. The classic "nothing to see here... move along". That's how its handled these days.
A number of large US banks were attacked in the last week and almost all press releases said something to the effect
"We take security seriously and are constantly monitoring it" "There was no effect on customer accounts"
blah blah blah... |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI 1 edit |
to MagnusM
Serial Number of the compromised Adobe certificate is 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 » twitter.com/mikko/status ··· /photo/1Security Advisory: Upcoming Revocation of Adobe code signing certificateDETAILS
Adobe is investigating what appears to be the misuse of an Adobe code signing certificate. Adobe is aware at this time of two malicious utilities from a single source that appeared to be digitally signed using a valid Adobe code-signing certificate.
The first malicious utility is pwdump7 v7.1. This utility extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay.dll. The sample we received included the two files separate and individually signed.
PwDump7.exe: MD5 hash: 130F7543D2360C40F8703D3898AFAC22
File size: 81.6 KB (83,648 bytes) Signature timestamp: Thursday, July 26, 2012 8:44:40 PM PDT (GMT -7:00)
MD5 hash of file with signature removed: D1337B9E8BAC0EE285492B89F895CADB libeay32.dll MD5 hash: 095AB1CCC827BE2F38620256A620F7A4 File size: 999 KB (1,023,168 bytes) Signature timestamp: Thursday, July 26, 2012 8:44:13 PM PDT (GMT -7:00)
MD5 hash of file with signature removed: A7EFD09E5B963AF88CE2FC5B8EB7127C
The second malicious utility, myGeeksmail.dll, appears to be a malicious ISAPI filter. Unlike the first utility, we are not aware of any publicly available versions of this ISAPI filter.
myGeeksmail.dll MD5 hash: 46DB73375F05F09AC78EC3D940F3E61A File size: 80.6 KB (82,624 bytes) Signature timestamp: Wednesday, July 25, 2012 8:48:59 PM (GMT -7:00)
MD5 hash of file with signature removed: 8EA2420013090077EA875B97D7D1FF07 » www.adobe.com/support/se ··· -01.html |
|
|
StuartMW
Premium Member
2012-Sep-28 11:40 am
FYI the Adobe Flash Player 11.4.402.278 installers I have are signed with a certificate with the serial number 7e 28 2b 07 49 66 9b 59 5f 79 49 ff 06 13 4e 92.
Shockwave Player 11.6.7.637 uses 60 8a ad 6f 0d ed 59 8a b9 8c bf 81 18 7c 91 bb.
Acrobat Reader 9.5.x/X 10.1.4 both use 02 90 96 5e 91 33 40 cd a6 63 4c ef 31 f7 fd 07.
It appears Adobe uses a different certificate for every product. |
|
mazhurg Premium Member join:2004-05-02 Brighton, ON |
to Name Game
Certificate # | Version |
said by Name Game:Serial Number of the compromised Adobe certificate is 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 That would be the code used to sign the flash player install V 11.4.400.252 (Windows 7 64 bits) |
|
|
StuartMW
Premium Member
2012-Sep-28 2:19 pm
said by mazhurg:That would be the code used to sign the flash player install V 11.4.400.252 (Windows 7 64 bits) Thanks for the info. Adobe may have signed later versions of Flash with a newer certificate since the one you posted expires on 12/14/2012. |
|
leibold MVM join:2002-07-09 Sunnyvale, CA Netgear CG3000DCR ZyXEL P-663HN-51
|
said by StuartMW:Adobe may have signed later versions of Flash with a newer certificate since the one you posted expires on 12/14/2012. Wouldn't the serial number be different on a renewed certificate ? With the software I'm using every certificate (regardless whether new or renewal) gets a unique serial number from the CA but I don't know if that is universal for all certificate authorities. |
|
3 edits |
StuartMW
Premium Member
2012-Sep-28 2:41 pm
Flash Player 11.4.402.278 certificate |
said by leibold:Wouldn't the serial number be different on a renewed certificate ? Um, it is. » Re: Adobe's code signing certificate has been stolenquote: FYI the Adobe Flash Player 11.4.402.278 installers I have are signed with a certificate with the serial number 7e 28 2b 07 49 66 9b 59 5f 79 49 ff 06 13 4e 92.
And I said new (not renewed). PS: Flash Player 11.4.402.278 was signed with a certificate that expires 10/1/2012. LOL. Clearly they aren't expecting that version to last long! |
|
Name Game Premium Member join:2002-07-07 Grand Rapids, MI |
to leibold
Also... It is not public key stuff so the serial number would be the same for everyone who used the product in the time frame the cert was still valid and came with the download...just don't want people to start thinking every user would be getting a unique serial number for their own benefit. It is a Web Server SSL Certificate A Web Server SSL Certificate contains the following information: The certificate holder's name, The certificate's serial number and expiration date, Copy of the certificate holder's public key, The digital signature of the certificate-issuing authority. » products.secureserver.ne ··· urbo.htm |
|
|
StuartMW
Premium Member
2012-Sep-28 3:11 pm
said by Name Game:...just don't want people to start thinking every user would be getting a unique serial number for their own benefit. Yup. In short if you download something that is digitally-signed with this certificate consider it suspect. And that goes for Flash too |
|
2 recommendations |
to mazhurg
said by mazhurg:said by Name Game:Serial Number of the compromised Adobe certificate is 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 so this explains the recent "strange" release of "new" adobe "flash player" installers, where the builds supposedly were identical but, strangely, they were given new build numbers, and without any new releasenotes.. i use adobe flash player 10.x.. build 10.3.183.23 had the compromised digital signature.. build 10.3.183.25 has a new, different digital signature.. |
|
|
StuartMW
Premium Member
2012-Sep-29 2:43 pm
Good point! I'd forgotten (or blocked) about that. |
|