dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
34

MagnusM
Premium Member
join:2001-07-07

1 recommendation

MagnusM to norwegian

Premium Member

to norwegian

Re: Adobe's code signing certificate has been stolen

That confused me too at first, but I believe they store clean files in their sample repository, so there were 5127 files in total, 5124 of which were legitimate signed Adobe files and then 3 malware files.

norwegian
Premium Member
join:2005-02-15
Outback

norwegian

Premium Member

Understand that could be true too.

I was more curious of the date stamp anyway if known, whether it was 3 days or so ago or older. The rest was just insight into figures; which as you point out can be read many ways without the database facts that need to go with it.

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

I doubt you'll find out much more info. Adobe will most likely keep the facts very close to their chest. The classic "nothing to see here... move along". That's how its handled these days.

A number of large US banks were attacked in the last week and almost all press releases said something to the effect

"We take security seriously and are constantly monitoring it"
"There was no effect on customer accounts"

blah blah blah...

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

1 edit

Name Game to MagnusM

Premium Member

to MagnusM
Serial Number of the compromised Adobe certificate is 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88

»twitter.com/mikko/status ··· /photo/1


Security Advisory: Upcoming Revocation of Adobe code signing certificate

DETAILS

Adobe is investigating what appears to be the misuse of an Adobe code signing certificate. Adobe is aware at this time of two malicious utilities from a single source that appeared to be digitally signed using a valid Adobe code-signing certificate.

The first malicious utility is pwdump7 v7.1. This utility extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay.dll. The sample we received included the two files separate and individually signed.

PwDump7.exe:
MD5 hash: 130F7543D2360C40F8703D3898AFAC22

File size: 81.6 KB (83,648 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:40 PM PDT (GMT -7:00)

MD5 hash of file with signature removed: D1337B9E8BAC0EE285492B89F895CADB
libeay32.dll
MD5 hash: 095AB1CCC827BE2F38620256A620F7A4
File size: 999 KB (1,023,168 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:13 PM PDT (GMT -7:00)

MD5 hash of file with signature removed: A7EFD09E5B963AF88CE2FC5B8EB7127C

The second malicious utility, myGeeksmail.dll, appears to be a malicious ISAPI filter. Unlike the first utility, we are not aware of any publicly available versions of this ISAPI filter.

myGeeksmail.dll
MD5 hash: 46DB73375F05F09AC78EC3D940F3E61A
File size: 80.6 KB (82,624 bytes)
Signature timestamp: Wednesday, July 25, 2012 8:48:59 PM (GMT -7:00)

MD5 hash of file with signature removed: 8EA2420013090077EA875B97D7D1FF07

»www.adobe.com/support/se ··· -01.html

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

FYI the Adobe Flash Player 11.4.402.278 installers I have are signed with a certificate with the serial number 7e 28 2b 07 49 66 9b 59 5f 79 49 ff 06 13 4e 92.

Shockwave Player 11.6.7.637 uses 60 8a ad 6f 0d ed 59 8a b9 8c bf 81 18 7c 91 bb.

Acrobat Reader 9.5.x/X 10.1.4 both use 02 90 96 5e 91 33 40 cd a6 63 4c ef 31 f7 fd 07.

It appears Adobe uses a different certificate for every product.

mazhurg
Premium Member
join:2004-05-02
Brighton, ON

mazhurg to Name Game

Premium Member

to Name Game

Certificate #

Version
said by Name Game:

Serial Number of the compromised Adobe certificate is 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88

That would be the code used to sign the flash player install V 11.4.400.252 (Windows 7 64 bits)

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by mazhurg:

That would be the code used to sign the flash player install V 11.4.400.252 (Windows 7 64 bits)

Thanks for the info.

Adobe may have signed later versions of Flash with a newer certificate since the one you posted expires on 12/14/2012.

leibold
MVM
join:2002-07-09
Sunnyvale, CA
Netgear CG3000DCR
ZyXEL P-663HN-51

leibold

MVM

said by StuartMW:

Adobe may have signed later versions of Flash with a newer certificate since the one you posted expires on 12/14/2012.

Wouldn't the serial number be different on a renewed certificate ? With the software I'm using every certificate (regardless whether new or renewal) gets a unique serial number from the CA but I don't know if that is universal for all certificate authorities.

StuartMW
Premium Member
join:2000-08-06

3 edits

StuartMW

Premium Member


Flash Player 11.4.402.278 certificate
said by leibold:

Wouldn't the serial number be different on a renewed certificate ?

Um, it is.

»Re: Adobe's code signing certificate has been stolen
quote:
FYI the Adobe Flash Player 11.4.402.278 installers I have are signed with a certificate with the serial number 7e 28 2b 07 49 66 9b 59 5f 79 49 ff 06 13 4e 92.

And I said new (not renewed).

PS: Flash Player 11.4.402.278 was signed with a certificate that expires 10/1/2012. LOL. Clearly they aren't expecting that version to last long!

Name Game
Premium Member
join:2002-07-07
Grand Rapids, MI

Name Game to leibold

Premium Member

to leibold
Also...

It is not public key stuff so the serial number would be the same for everyone who used the product in the time frame the cert was still valid and came with the download...just don't want people to start thinking every user would be getting a unique serial number for their own benefit.

It is a Web Server SSL Certificate

A Web Server SSL Certificate contains the following information:
The certificate holder's name,
The certificate's serial number and expiration date,
Copy of the certificate holder's public key,
The digital signature of the certificate-issuing authority.

»products.secureserver.ne ··· urbo.htm

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

said by Name Game:

...just don't want people to start thinking every user would be getting a unique serial number for their own benefit.

Yup.

In short if you download something that is digitally-signed with this certificate consider it suspect.

And that goes for Flash too
redwolfe_98
Premium Member
join:2001-06-11

2 recommendations

redwolfe_98 to mazhurg

Premium Member

to mazhurg
said by mazhurg:

said by Name Game:

Serial Number of the compromised Adobe certificate is 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88

so this explains the recent "strange" release of "new" adobe "flash player" installers, where the builds supposedly were identical but, strangely, they were given new build numbers, and without any new releasenotes..

i use adobe flash player 10.x.. build 10.3.183.23 had the compromised digital signature.. build 10.3.183.25 has a new, different digital signature..

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

Good point! I'd forgotten (or blocked) about that.