dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
5
share rss forum feed


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

Re: Adobe's code signing certificate has been stolen

Does not work that way..

The company said the certificate will be re-issued on Oct. 4, but didn’t explain why it would take that long.

»mcaf.ee/vp0iy
--
Gladiator Security Forum
»www.gladiator-antivirus.com/



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

2 edits

said by Name Game:

The company said the certificate will be re-issued on Oct. 4, but didn’t explain why it would take that long.

Well they said that about the compromised certificate. That is not the same certificate that was used for Flash Player 11.4.402.278.

I have no idea why Adobe chose to digital sign Flash Player 11.4.402.278 with a certificate that would expire a few weeks later.

BTW to answer Mele20 See Profile's question the message says This digital signature is ok. The fact the the certificate used to create the signature is now expired doesn't affect the signature. The signature would not be ok if the package was altered (and it wasn't).
--
Don't feed trolls--it only makes them grow!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to Name Game

From your link:

"The three affected applications are Adobe Muse, Adobe Story AIR applications, and Acrobat.com desktop services."

Flash Player wasn't involved. That article is irrelevant as far as to why Adobe has allowed the code signing cert for the CURRENT Flash Player to lapse today.

OT but what is that weird address you used? If ANYBODY but YOU had posted shit like that I would not have gone there. Post a normal address please in the future.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to StuartMW

said by StuartMW:

...I have no idea why Adobe chose to digital sign Flash Player 11.4.402.278 with a certificate that would expire a few weeks later.

Maybe it's a new way to overcome user resistance and compel installation of their frequent security updates. As you noted earlier:
quote:
Clearly they aren't expecting that version to last long!
Adobe is a lot like fresh bread... in a few days, whatever you have today will be stale or moldy.
--
"Is life so dear, or peace so sweet, as to be purchased at the price of chains and slavery? Forbid it, Almighty God!" -- P.Henry, 1775


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

reply to Mele20

said by Mele20:

From your link:
That article is irrelevant as far as to why Adobe has allowed the code signing cert for the CURRENT Flash Player to lapse today.

Agreed. As to why Adobe chose to use a soon-to-expire certificate--who knows. But as I showed above they use multiple certificates. Again I'm not sure why. Different divisions within the company perhaps. Or maybe they use randomly selected certificates to match their randomly generated programming
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7
reply to Mele20

Trusted root certificates that are required by Windows 2000, by Windows XP, and by Windows Server 2003

Some certificates that are listed in the previous tables have expired. However, these certificates are necessary for backward compatibility. Even if there is an expired trusted root certificate, anything that was signed by using that certificate before the expiration date requires that the trusted root certificate be validated. As long as expired certificates are not revoked, they can be used to validate anything that was signed before their expiration.

For more information about how to remove root certificates from the store, click the following article number to view the article in the Microsoft Knowledge Base:
293819 How to remove a root certificate from the Trusted Root Store

»support.microsoft.com/kb/293781
--
Gladiator Security Forum
»www.gladiator-antivirus.com/


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to StuartMW

Aside from Adobe's motives, or whatever with them, why does the Properties box claim the cert is "OK" when I downloaded Flash Player installer AFTER the expiration time today? The cert is NOT "OK" and that is a bit scary that the Properties box claims otherwise.

As for Adobe using multiple certs with different expiration dates for the same Flash Player version that is crazy and certainly not of benefit to the user. (But then since when has Adobe been concerned with benefiting the user)?
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to Name Game

said by Name Game:

As long as expired certificates are not revoked, they can be used to validate anything that was signed before their expiration.

Yup, but IMO it's bad practice to use a certificate that will expire within weeks. But as Blackbird See Profile said that version of Flash would be stale/moldy by then anyway.
--
Don't feed trolls--it only makes them grow!


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit
reply to Mele20

said by Mele20:

The cert is NOT "OK" and that is a bit scary that the Properties box claims otherwise.

I posted the explanation of that above. The message didn't say the cert was ok it said the signature was ok! They're different things.

cert ==> use to create digital signature

cert != digital signature
--
Don't feed trolls--it only makes them grow!


Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

3 edits
reply to Mele20

my cert for the google chrome adobe flash does not expire until dec 2012 as I recall.

It is a 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 which is a compromised cert... I could care less since we already know the files out there in the wild that used this cert and they certainly are not adobe stuff..



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit
reply to Mele20

said by Mele20:

As for Adobe using multiple certs with different expiration dates for the same Flash Player version that is crazy...

+100



--
Don't feed trolls--it only makes them grow!

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

reply to Name Game

I figured it out. I didn't pay enough attention to the fact there is a countersigner to the Adobe digital signature that has expired. The countersigner is Symantec Time Stamping Countersigner and it doesn't expire until December 31, 2012.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Name Game
Premium
join:2002-07-07
Grand Rapids, MI
kudos:7

1 edit

Purpose for that one is to attest the thing was signed with the current time.

The adobe cert purpose was to..

. Ensures software came from the software publisher
and
. Protects the software from alteration after publication



StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

said by Name Game:

The adobe cert purpose was to..

. Ensures software came from the software publisher
and
. Protects the software from alteration after publication

Exactly.

And to get back to the original topic the fact that a legitimate Adobe certificate was used to sign malware is important because

1) The package seems to originate from Adobe.

2) The package was not altered.

The whole point of digital signing is to show that the package is legitimate and can be trusted. If certs are stolen (as in the Microsoft case) or can be used for signing (Adobe case) they become useless IMO.

--
Don't feed trolls--it only makes them grow!


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1

said by StuartMW:

The whole point of digital signing is to show that the package is legitimate and can be trusted. If certs are stolen (as in the Microsoft case) or can be used for signing (Adobe case) they become useless IMO.

only if revoked
--
--Standard disclaimers apply.--