dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
12
share rss forum feed


MagnusM
Premium
join:2001-07-07
reply to norwegian

Re: Adobe's code signing certificate has been stolen

Seems the first tweet (»twitter.com/mikko/status/251429422807265280) was a bit unclear:

quote:
Our sample repository has 5127 files that have been signed with the compromised Adobe certificate. pic.twitter.com/t0o9M0YA

Today, he tweeted this update (»twitter.com/mikko/status/2514561···739648):

quote:
We have thousands of clean, official Adobe files signed with the compromised certificate. Only 3 bad files.

--
Mischel Internet Security - Developer of TrojanHunter


norwegian
Premium
join:2005-02-15
Outback

We have thousands of clean, official Adobe files signed with the compromised certificate. Only 3 bad files.

Interesting. 3 only, yet all 5127 were malware samples?
Something to be kept low key....

--
The only thing necessary for the triumph of evil is for good men to do nothing - Edmund Burke



MagnusM
Premium
join:2001-07-07

1 recommendation

That confused me too at first, but I believe they store clean files in their sample repository, so there were 5127 files in total, 5124 of which were legitimate signed Adobe files and then 3 malware files.
--
Mischel Internet Security - Developer of TrojanHunter



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to norwegian

Adobe--it's all a Flash in the pan



norwegian
Premium
join:2005-02-15
Outback
reply to MagnusM

Understand that could be true too.

I was more curious of the date stamp anyway if known, whether it was 3 days or so ago or older. The rest was just insight into figures; which as you point out can be read many ways without the database facts that need to go with it.



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

I doubt you'll find out much more info. Adobe will most likely keep the facts very close to their chest. The classic "nothing to see here... move along". That's how its handled these days.

A number of large US banks were attacked in the last week and almost all press releases said something to the effect

"We take security seriously and are constantly monitoring it"
"There was no effect on customer accounts"

blah blah blah...
--
Don't feed trolls--it only makes them grow!



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit
reply to MagnusM

Serial Number of the compromised Adobe certificate is 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88

»twitter.com/mikko/status/2514324···/photo/1

Security Advisory: Upcoming Revocation of Adobe code signing certificate

DETAILS

Adobe is investigating what appears to be the misuse of an Adobe code signing certificate. Adobe is aware at this time of two malicious utilities from a single source that appeared to be digitally signed using a valid Adobe code-signing certificate.

The first malicious utility is pwdump7 v7.1. This utility extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay.dll. The sample we received included the two files separate and individually signed.

PwDump7.exe:
MD5 hash: 130F7543D2360C40F8703D3898AFAC22

File size: 81.6 KB (83,648 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:40 PM PDT (GMT -7:00)

MD5 hash of file with signature removed: D1337B9E8BAC0EE285492B89F895CADB
libeay32.dll
MD5 hash: 095AB1CCC827BE2F38620256A620F7A4
File size: 999 KB (1,023,168 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:13 PM PDT (GMT -7:00)

MD5 hash of file with signature removed: A7EFD09E5B963AF88CE2FC5B8EB7127C

The second malicious utility, myGeeksmail.dll, appears to be a malicious ISAPI filter. Unlike the first utility, we are not aware of any publicly available versions of this ISAPI filter.

myGeeksmail.dll
MD5 hash: 46DB73375F05F09AC78EC3D940F3E61A
File size: 80.6 KB (82,624 bytes)
Signature timestamp: Wednesday, July 25, 2012 8:48:59 PM (GMT -7:00)

MD5 hash of file with signature removed: 8EA2420013090077EA875B97D7D1FF07

»www.adobe.com/support/security/a···-01.html


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

FYI the Adobe Flash Player 11.4.402.278 installers I have are signed with a certificate with the serial number 7e 28 2b 07 49 66 9b 59 5f 79 49 ff 06 13 4e 92.

Shockwave Player 11.6.7.637 uses 60 8a ad 6f 0d ed 59 8a b9 8c bf 81 18 7c 91 bb.

Acrobat Reader 9.5.x/X 10.1.4 both use 02 90 96 5e 91 33 40 cd a6 63 4c ef 31 f7 fd 07.

It appears Adobe uses a different certificate for every product.
--
Don't feed trolls--it only makes them grow!



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to MagnusM

Magnus you will love this one..they seem to be on a roll.

Are anti-virus companies companies regularly committing software piracy?

»security.stackexchange.com/quest···e-piracy
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



mazhurg
Premium
join:2004-05-02
Brighton, ON
Reviews:
·MTS
reply to Name Game


Certificate #

Version
said by Name Game:

Serial Number of the compromised Adobe certificate is 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88

That would be the code used to sign the flash player install V 11.4.400.252 (Windows 7 64 bits)


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by mazhurg:

That would be the code used to sign the flash player install V 11.4.400.252 (Windows 7 64 bits)

Thanks for the info.

Adobe may have signed later versions of Flash with a newer certificate since the one you posted expires on 12/14/2012.
--
Don't feed trolls--it only makes them grow!


leibold
Premium,MVM
join:2002-07-09
Sunnyvale, CA
kudos:10
Reviews:
·SONIC.NET

said by StuartMW:

Adobe may have signed later versions of Flash with a newer certificate since the one you posted expires on 12/14/2012.

Wouldn't the serial number be different on a renewed certificate ? With the software I'm using every certificate (regardless whether new or renewal) gets a unique serial number from the CA but I don't know if that is universal for all certificate authorities.
--
Got some spare cpu cycles ? Join Team Helix or Team Starfire!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

3 edits


Flash Player 11.4.402.278 certificate
said by leibold:

Wouldn't the serial number be different on a renewed certificate ?

Um, it is.

»Re: Adobe's code signing certificate has been stolen

quote:
FYI the Adobe Flash Player 11.4.402.278 installers I have are signed with a certificate with the serial number 7e 28 2b 07 49 66 9b 59 5f 79 49 ff 06 13 4e 92.

And I said new (not renewed).

PS: Flash Player 11.4.402.278 was signed with a certificate that expires 10/1/2012. LOL. Clearly they aren't expecting that version to last long!
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to leibold

Also...

It is not public key stuff so the serial number would be the same for everyone who used the product in the time frame the cert was still valid and came with the download...just don't want people to start thinking every user would be getting a unique serial number for their own benefit.

It is a Web Server SSL Certificate

A Web Server SSL Certificate contains the following information:
The certificate holder's name,
The certificate's serial number and expiration date,
Copy of the certificate holder's public key,
The digital signature of the certificate-issuing authority.

»products.secureserver.net/produc···urbo.htm
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by Name Game:

...just don't want people to start thinking every user would be getting a unique serial number for their own benefit.

Yup.

In short if you download something that is digitally-signed with this certificate consider it suspect.

And that goes for Flash too
--
Don't feed trolls--it only makes them grow!

redwolfe_98
Premium
join:2001-06-11
kudos:1
Reviews:
·Time Warner Cable

2 recommendations

reply to mazhurg

said by mazhurg:

said by Name Game:

Serial Number of the compromised Adobe certificate is 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88

so this explains the recent "strange" release of "new" adobe "flash player" installers, where the builds supposedly were identical but, strangely, they were given new build numbers, and without any new releasenotes..

i use adobe flash player 10.x.. build 10.3.183.23 had the compromised digital signature.. build 10.3.183.25 has a new, different digital signature..


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

Good point! I'd forgotten (or blocked) about that.
--
Don't feed trolls--it only makes them grow!