Topic 'Re: Adobe's code signing certificate has been stolen' in forum 'Security' - dslreports.com

Re: Adobe's code signing certificate has been stolen

Fri, 05 Oct 2012 12:34:15 EDT

Name Game posted : The candle is still lit on the glow-ball..but there is frost on the pumpkins :o

Re: Adobe's code signing certificate has been stolen

Fri, 05 Oct 2012 11:45:35 EDT

StuartMW posted : Hang on. If you have glow-ball worming how did the Windows freeze? :D
--
Don't feed trolls--it only makes them grow!

Re: Adobe's code signing certificate has been stolen

Fri, 05 Oct 2012 11:42:44 EDT

Name Game posted : Found the problem :(

Wife by text to me at work:

"Hello,

Windows at home frozen - what will I do?"

Me - "Spray some de-icer or pour hot water on them"

Wife a few minutes later - "Done that, now computer won't work at all."
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Adobe's code signing certificate has been stolen

Fri, 05 Oct 2012 08:31:02 EDT

siljaline posted : That's the one.

--
Donne-moi des peanuts, j’m’en va te chanter "Alouette" sans fausse note

Re: Adobe's code signing certificate has been stolen

Fri, 05 Oct 2012 08:13:32 EDT

StuartMW posted :

said by siljaline:

Globule :p

I thought it was glow-ball worming :p
--
Don't feed trolls--it only makes them grow!

Re: Adobe's code signing certificate has been stolen

Fri, 05 Oct 2012 08:06:45 EDT

siljaline posted : Globule :p

Re: Adobe's code signing certificate has been stolen

Thu, 04 Oct 2012 22:00:49 EDT

Blackbird posted :

said by Name Game:

So that's what happened..I thought it was just my flash acting up again.. :(

But... don't give up! You can fix that computer!
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775

Re: Adobe's code signing certificate has been stolen

Thu, 04 Oct 2012 20:18:12 EDT

Name Game posted : No..I have a globule warming problem..

Re: Adobe's code signing certificate has been stolen

Thu, 04 Oct 2012 20:06:43 EDT

siljaline posted :

said by Name Game:

let them know their blog post stuff is wrong..should be

Uh... can't sign in and alert MS yerself :D

Re: Adobe's code signing certificate has been stolen

Thu, 04 Oct 2012 19:57:40 EDT

Name Game posted :

said by siljaline:

MS MMPC just issued this:
»blogs.technet.com/b/mmpc/archive···ate.aspx

let them know their blog post stuff is wrong..should be

libeay32.dll
MD5 hash: 095AB1CCC827BE2F38620256A620F7A4
File size: 999 KB (1,023,168 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:13 PM PDT (GMT -7:00)

not libeay.dll

I have a copy of that "tool"

»vishnuvalentino.com/computer-sec···w-table/
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Adobe's code signing certificate has been stolen

Thu, 04 Oct 2012 19:31:12 EDT

siljaline posted : MS MMPC just issued this:
»blogs.technet.com/b/mmpc/archive···ate.aspx

Re: Adobe's code signing certificate has been stolen

Thu, 04 Oct 2012 19:23:53 EDT

StuartMW posted : I'd write that one off... although you can probably recover data from the HD(s) :)
--
Don't feed trolls--it only makes them grow!

Re: Adobe's code signing certificate has been stolen

Thu, 04 Oct 2012 19:21:49 EDT

Name Game posted : I bought it in Denver..can I get some stimulus to bring it back on line beofe it goes green ?

Re: Adobe's code signing certificate has been stolen

Thu, 04 Oct 2012 19:19:34 EDT

StuartMW posted : I don't think PC's get altitude sickness unlike, um, certain people who visit Denver :)
--
Don't feed trolls--it only makes them grow!

Re: Adobe's code signing certificate has been stolen

Thu, 04 Oct 2012 19:15:18 EDT

Name Game posted : Too much altitude to move enough hot air..ya thunk :o
The chair is empty too..woe is me.

Re: Adobe's code signing certificate has been stolen

Thu, 04 Oct 2012 19:03:24 EDT

StuartMW posted : Looks like you shouldn't have ignored those faulty CPU fan warnings :D
--
Don't feed trolls--it only makes them grow!

Re: Adobe's code signing certificate has been stolen

Thu, 04 Oct 2012 19:01:10 EDT

Name Game posted : So that's what happened..I thought it was just my flash acting up again.. :(

Re: Adobe's code signing certificate has been stolen

Thu, 04 Oct 2012 18:52:51 EDT

chachazz posted : Adobe PSIRT: Update to Security Advisory: Adobe Revokes Code Signing Certificate (APSA12-01)

quote:
Following up on our communication from September 27, 2012, we have now revoked the Adobe code signing certificate for all code signed after July 10, 2012 (00:00 GMT).

We have updated the Security Advisory (APSA12-01) to reflect this action.

quote:
Adobe has revoked the certificate on October 4 for all software code signed after July 10, 2012 (00:00 GMT). Adobe has issued updates signed using a new digital certificate for all affected products.

The following certificate has been revoked and the certificate revocation list (CRL) is available at »csc3-2010-crl.verisign.com/CSC3-2010.crl:

• sha1RSA certificate
• Issued to Adobe Systems Incorporated
• Issued by VeriSign Class 3 Code Signing 2010 CA
• Serial Number: 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88
• sha1 Thumbprint: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c
• Valid from December 14, 2010 5:00 PM PST (GMT -8:00) to December 14, 2012 4:59:59 PM PST (GMT -8:00)

Note: The revocation of the certificate affects the Windows platform and three Adobe AIR applications (Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services) that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms.

--
Gladiator Security Forum: www.gladiator-antivirus.com/

Re: Adobe's code signing certificate has been stolen

Thu, 04 Oct 2012 01:50:23 EDT

Mele20 posted : That is a good idea.....if I can remember it! ;)

Re: Adobe's code signing certificate has been stolen

Wed, 03 Oct 2012 22:49:09 EDT

StuartMW posted :

said by Mele20:

I wish the forum software would let us add "auto quote" to a post when we edit that post.

I use this trick. I start editing the post without quotes, Then I open another tab/window and do a reply/quote on the post I'm replying to, Then I copy'n'paste :D
--
Don't feed trolls--it only makes them grow!

Re: Adobe's code signing certificate has been stolen

Wed, 03 Oct 2012 22:40:33 EDT

Name Game posted : OK well the stores are a function of the OS for downloaded software.. I guess you means the certs for various secure website one visits..

»dev.chromium.org/Home/chromium-s···a-policy

»www.poweradmin.com/help/sslhints/Chrome.aspx

»superuser.com/questions/347588/h···ins-work

I think Opera has a Certificaterevocationlistsforssl thing for those cases and found here opera:config#SecurityPrefs|Certificaterevocationlistsforssl
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Adobe's code signing certificate has been stolen

Wed, 03 Oct 2012 22:15:12 EDT

Mele20 posted : I wish the forum software would let us add "auto quote" to a post when we edit that post. I didn't auto quote you and saw that was a mistake AFTER I posted and then I couldn't add auto quote when I tried to edit the post. So, I just left it confusing. :p

Not all browsers handle a certificate store like IE does.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Adobe's code signing certificate has been stolen

Wed, 03 Oct 2012 21:20:45 EDT

Name Game posted :

said by Mele20:

That's what IE does. Don't assume other browsers do what IE does.

Does what ?

Re: Adobe's code signing certificate has been stolen

Wed, 03 Oct 2012 20:33:46 EDT

Mele20 posted : That's what IE does. Don't assume other browsers do what IE does.

Re: Adobe's code signing certificate has been stolen

Wed, 03 Oct 2012 13:17:57 EDT

Name Game posted :

Adobe also revoked a certificate in Sept. 2010 (Thawte, ser.no 026c21adeccb1c1987a5d38ce24167ce). Used on a malicious CAB file.

Since I'm digging...another Adobe cert (UTN-USERFirst-Object, ser. no 00E7817F8DBDB2740D495EFAB67DB867A4) revoked in 2007. Malware.

»twitter.com/aelgum/status/253496875859202048

Re: Adobe's code signing certificate has been stolen

Tue, 02 Oct 2012 16:35:36 EDT

leibold posted :

said by AVD:

that may be the default

I'm sorry if I was unclear but I did mean default behavior. I remember seeing a site that had a nice overview showing which software did not implement CRL checking at all and which software supported CRL checking but had it disabled by default (I'm not sure if there was any that had CRL checking enabled by default).
Of course, I can't find it now :o

Another issue related to CRLs (not applicable to the current topic) is whether only the presented certificate is being checked or whether all the certificates in the signing chain are checked for revocation as well (should you still trust a certificate if the intermediate or root CA certificate was revoked ?).
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!

Re: Adobe's code signing certificate has been stolen

Tue, 02 Oct 2012 16:30:04 EDT

Name Game posted :

said by AVD:

said by Name Game:

Post please if you personally first check the certs from any Adobe product before you install it. ;)

it isn't automatic?

NO.. and i did not generalize that question..I am talking about Adobe and these updates they give specifically.

Certificates

Using Certificates for Code Signing

Certificates can also be used to verify the authenticity of software code that you download from the Internet, install from your company intranet, or purchase on CD-ROM and install on your computer. Unsigned software—software that doesn’t have a valid software publisher’s certificate—can pose a risk to your computer and the information you store on your computer.

When software is signed with a valid certificate from a trusted CA, you know that the software code hasn’t been tampered with and can be safely installed on your computer. During software installation, you’re prompted to verify that you trust the software manufacturer (for example, Microsoft Corporation). You might also be offered the option to always trust software content from that particular software manufacturer. If you choose to trust content from the manufacturer, its certificate goes into your certificate store and other software installations of its products can occur with a circumstance of predefined trust. In the circumstance of predefined trust, you can install software from the manufacturer without being prompted to indicate whether it’s trusted; the certificate on your computer states that you trust the manufacturer of the software.

»technet.microsoft.com/en-us/libr···805.aspx
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Adobe's code signing certificate has been stolen

Tue, 02 Oct 2012 16:20:49 EDT

AVD posted : that may be the default

Re: Adobe's code signing certificate has been stolen

Tue, 02 Oct 2012 16:19:58 EDT

leibold posted :

said by AVD:

said by Name Game:

Post please if you personally first check the certs from any Adobe product before you install it. ;)

it isn't automatic?

In most cases signature verification of a certificate against known certificate authorities is automatic since this can be done against a locally stored list of trusted CAs. Checking of CRLs (certificate revocation lists) is usually not automatic since it requires Internet access.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!

Re: Adobe's code signing certificate has been stolen

Tue, 02 Oct 2012 16:13:44 EDT

AVD posted :

said by Name Game:

Post please if you personally first check the certs from any Adobe product before you install it. ;)

it isn't automatic?
--
--Standard disclaimers apply.--

Re: Adobe's code signing certificate has been stolen

Tue, 02 Oct 2012 16:10:19 EDT

Name Game posted : Post please if you personally first check the certs from any Adobe product before you install it. ;)

Re: Adobe's code signing certificate has been stolen

Tue, 02 Oct 2012 15:56:12 EDT

AVD posted :

said by StuartMW:

The whole point of digital signing is to show that the package is legitimate and can be trusted. If certs are stolen (as in the Microsoft case) or can be used for signing (Adobe case) they become useless IMO.

only if revoked
--
--Standard disclaimers apply.--

Re: Adobe's code signing certificate has been stolen

Tue, 02 Oct 2012 11:16:41 EDT

StuartMW posted :

said by Name Game:

The adobe cert purpose was to..

. Ensures software came from the software publisher
and
. Protects the software from alteration after publication

Exactly.

And to get back to the original topic the fact that a legitimate Adobe certificate was used to sign malware is important because

1) The package seems to originate from Adobe.

2) The package was not altered.

The whole point of digital signing is to show that the package is legitimate and can be trusted. If certs are stolen (as in the Microsoft case) or can be used for signing (Adobe case) they become useless IMO.

--
Don't feed trolls--it only makes them grow!

Re: Adobe's code signing certificate has been stolen

Tue, 02 Oct 2012 04:14:52 EDT

KodiacZiller posted :

said by Name Game:

I see it as a backup not a replacement

»en.wikipedia.org/wiki/Comparison···nd_Flash

Well the problem are the non-free codecs. The HTML5 specification originally listed the codecs to be used (Ogg/Theora). Of course this pissed off all the companies looking to make a dollar off their compression patents. And then you have M$ being M$ and refusing to support open formats in IE (all it supports is H.264). Meanwhile Firefox, Chrome and Opera all support WebM and Ogg/Theora. Google said they plan to drop support for H.264 all together in Chrome (which caused a lot of consternation from M$ bloggers).

This leaves IE and Safari as the only two major browsers not to support the free codecs.

Apple is actually on Google's side too, but they are afraid of patent trolls waiting to sue over the use of Theora/WebM, etc. Indeed Steve Jobs said publicly he is tired of Flash and wants to see HTML5 replace it. However, Apple does not want the HTML5 specification to require any specific codec. (And Apple has a point, as HTML does not specify image formats, for example). Therefore, Safari still only supports H.264 as of now.

Google purchased On2 which is a company that developed a competing codec known as VP8. On2 did this behind closed doors, so it was essentially just as closed and proprietary as H.264. But then Google bought them. What did Google do? They opened the source-code and made the codec royalty and license free (now known as WebM). Mozilla and Opera gave their full support to this move as did the Free Software Foundation.

So it all boils down to everyone having their own interests. It is not a technological problem at all. Ogg/Theora/WebM are fully capable of providing high quality audio/video over the web. It's more about trying to get various companies to stop treating free and open formats as the devil.

But we will probably be stuck with a bunch of competing formats for a number of years to come. A lot of sites may adopt HTML5 but many wont. So it will boil down to what your browser supports.
--
Getting people to stop using windows is more or less the same as trying to get people to stop smoking tobacco products. They dont want to change; they are happy with slowly dying inside. -- munky99999

Re: Adobe's code signing certificate has been stolen

Tue, 02 Oct 2012 00:25:05 EDT

Name Game posted : I see it as a backup not a replacement

»en.wikipedia.org/wiki/Comparison···nd_Flash

Re: Adobe's code signing certificate has been stolen

Tue, 02 Oct 2012 00:20:14 EDT

KodiacZiller posted : I am ready for HTML5 to become ubiquitous so that everyone can dump Flash once and for all. There are already free and open codecs out there for the audio/video decoding.

Re: Adobe's code signing certificate has been stolen

Tue, 02 Oct 2012 00:14:29 EDT

Name Game posted : It indicates just what the info states;

. Ensures software came from the software publisher
and
. Protects the software from alteration after publication

And I assume you downloaded and installed it before 10/1/2012

AND you know where it came from.

is that the IE or non IE version ?

»www.oldapps.com/flash_player.php···yer=8243
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Adobe's code signing certificate has been stolen

Mon, 01 Oct 2012 23:57:02 EDT

redwolfe_98 posted : :( the "certificate" is expired.. i am not sure what this means, or what it indicates..

i have "flash player build 10.3.183.25" which is timestamped 9/16/2012..

Re: Adobe's code signing certificate has been stolen

Mon, 01 Oct 2012 23:34:30 EDT

Name Game posted : Purpose for that one is to attest the thing was signed with the current time.

The adobe cert purpose was to..

. Ensures software came from the software publisher
and
. Protects the software from alteration after publication

Re: Adobe's code signing certificate has been stolen

Mon, 01 Oct 2012 23:17:44 EDT

Mele20 posted : I figured it out. I didn't pay enough attention to the fact there is a countersigner to the Adobe digital signature that has expired. The countersigner is Symantec Time Stamping Countersigner and it doesn't expire until December 31, 2012.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Adobe's code signing certificate has been stolen

Mon, 01 Oct 2012 23:02:49 EDT

StuartMW posted :

said by Mele20:

As for Adobe using multiple certs with different expiration dates for the same Flash Player version that is crazy...

+100

[att=1]
--
Don't feed trolls--it only makes them grow!

Re: Adobe's code signing certificate has been stolen

Mon, 01 Oct 2012 22:49:55 EDT

Name Game posted : my cert for the google chrome adobe flash does not expire until dec 2012 as I recall.

It is a 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 which is a compromised cert... I could care less since we already know the files out there in the wild that used this cert and they certainly are not adobe stuff..

Re: Adobe's code signing certificate has been stolen

Mon, 01 Oct 2012 22:49:03 EDT

StuartMW posted :

said by Mele20:

The cert is NOT "OK" and that is a bit scary that the Properties box claims otherwise. :(

I posted the explanation of that above. The message didn't say the cert was ok it said the signature was ok! They're different things.

cert ==> use to create digital signature

cert != digital signature
--
Don't feed trolls--it only makes them grow!

Re: Adobe's code signing certificate has been stolen

Mon, 01 Oct 2012 22:47:56 EDT

Name Game posted : I would assume if you were on a sever and the IT guys had it set up..you might not be able to install it or would get a warning.

Re: Adobe's code signing certificate has been stolen

Mon, 01 Oct 2012 22:47:20 EDT

StuartMW posted :

said by Name Game:

As long as expired certificates are not revoked, they can be used to validate anything that was signed before their expiration.

Yup, but IMO it's bad practice to use a certificate that will expire within weeks. But as Blackbird said that version of Flash would be stale/moldy by then anyway.
--
Don't feed trolls--it only makes them grow!

Re: Adobe's code signing certificate has been stolen

Mon, 01 Oct 2012 22:46:15 EDT

Mele20 posted : Aside from Adobe's motives, or whatever with them, why does the Properties box claim the cert is "OK" when I downloaded Flash Player installer AFTER the expiration time today? The cert is NOT "OK" and that is a bit scary that the Properties box claims otherwise. :(

As for Adobe using multiple certs with different expiration dates for the same Flash Player version that is crazy and certainly not of benefit to the user. (But then since when has Adobe been concerned with benefiting the user)?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson

Re: Adobe's code signing certificate has been stolen

Mon, 01 Oct 2012 22:39:33 EDT

Name Game posted : Trusted root certificates that are required by Windows 2000, by Windows XP, and by Windows Server 2003

Some certificates that are listed in the previous tables have expired. However, these certificates are necessary for backward compatibility. Even if there is an expired trusted root certificate, anything that was signed by using that certificate before the expiration date requires that the trusted root certificate be validated. As long as expired certificates are not revoked, they can be used to validate anything that was signed before their expiration.

For more information about how to remove root certificates from the store, click the following article number to view the article in the Microsoft Knowledge Base:
293819 How to remove a root certificate from the Trusted Root Store

»support.microsoft.com/kb/293781
--
Gladiator Security Forum
»www.gladiator-antivirus.com/

Re: Adobe's code signing certificate has been stolen

Mon, 01 Oct 2012 22:37:08 EDT

StuartMW posted :

said by Mele20:

From your link:
That article is irrelevant as far as to why Adobe has allowed the code signing cert for the CURRENT Flash Player to lapse today.

Agreed. As to why Adobe chose to use a soon-to-expire certificate--who knows. But as I showed above they use multiple certificates. Again I'm not sure why. Different divisions within the company perhaps. Or maybe they use randomly selected certificates to match their randomly generated programming :D
--
Don't feed trolls--it only makes them grow!

Re: Adobe's code signing certificate has been stolen

Mon, 01 Oct 2012 22:30:38 EDT

Blackbird posted :

said by StuartMW:

...I have no idea why Adobe chose to digital sign Flash Player 11.4.402.278 with a certificate that would expire a few weeks later.

Maybe it's a new way to overcome user resistance and compel installation of their frequent security updates. As you noted earlier:

quote:
Clearly they aren't expecting that version to last long!

Adobe is a lot like fresh bread... in a few days, whatever you have today will be stale or moldy.
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775

Re: Adobe's code signing certificate has been stolen

Mon, 01 Oct 2012 22:27:09 EDT

Mele20 posted : From your link:

"The three affected applications are Adobe Muse, Adobe Story AIR applications, and Acrobat.com desktop services."

Flash Player wasn't involved. That article is irrelevant as far as to why Adobe has allowed the code signing cert for the CURRENT Flash Player to lapse today.

OT but what is that weird address you used? If ANYBODY but YOU had posted shit like that I would not have gone there. Post a normal address please in the future.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson