Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Hackers compromise Adobe server to digitally sign malicious files

Adobe rushing to revoke certificate used to create the signatures

Article comments

Adobe plans to revoke a code-signing certificate after hackers compromised one of the company's internal servers and used it to digitally sign two malicious utilities.

"We received the malicious utilities in the late evening of September 12 from a single, isolated (unnamed) source," said Wiebke Lips, senior manager of corporate communications at Adobe. "As soon as the validity of the signatures was confirmed, we immediately initiated steps to deactivate and revoke the certificate used to generate the signatures."

One of the malicious utilities was a digitally signed copy of Pwdump7 version 7.1, a publicly available Windows account password extraction tool that also included a signed copy of the libeay32.dll OpenSSL library.

The second utility was an ISAPI filter called myGeeksmail.dll. ISAPI filters can be installed in IIS or Apache for Windows Web servers in order to intercept and modify HTTP streams.

The two rogue tools could be used on a machine after it was compromised and would likely pass a scan by security software since their digital signatures would appear legitimate coming from Adobe.

"Some antivirus solutions don't scan files signed with valid digital certificates coming from trustworthy software makers such as Microsoft or Adobe," said Bogdan Botezatu, a senior e-threat analyst at antivirus vendor BitDefender. "This would give the attackers a huge advantage: Even if these files were heuristically detected by the locally installed AV, they would be skipped by default from scanning, which dramatically enhances the attackers' chance of exploiting the system."

Brad Arkin, Adobe's senior director of security for products and services, wrote in a blog post that the rogue code samples have been shared with the Microsoft Active Protection Program (MAPP) so security vendors can detect them. Adobe believes "the vast majority of users are not at risk" because tools like the ones that were signed are normally used during "highly targeted attacks," not widespread ones, he wrote.

"At the moment, we have flagged all the received samples as malicious and we continue monitoring their geographical distribution," Botezatu said. BitDefender is one of the security vendors enrolled in MAPP.

However, Botezatu couldn't say if any of these files were actively detected on computers protected by the company's products. "It's too early to tell, and we don't have sufficient data yet," he said.

Adobe traced back the compromise to an internal "build server" that had access to its code-signing infrastructure. "Our investigation is still ongoing, but at this time, it appears that the impacted build server was first compromised in late July," Lips said.

"To date we have identified malware on the build server and the likely mechanism used to first gain access to the build server," Arkin said. "We also have forensic evidence linking the build server to the signing of the malicious utilities."

The configuration of the build server was not up to Adobe's corporate standards for a server of this nature, Arkin said. "We are investigating why our code-signing access provisioning process in this case failed to identify these deficiencies."

The misused code-signing certificate was issued by VeriSign on December 14, 2010, and is scheduled to be revoked at Adobe's request on October 4. This operation will impact Adobe software products that were signed after July 10, 2012.

"This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh," Arkin said.

Adobe published a help page that lists the affected products and contains links to updated versions signed with a new certificate.

Symantec, which now owns and operates the VeriSign certificate authority, stressed that the misused code-signing certificate was entirely under Adobe's control.

"None of Symantec's code-signing certificates were at risk," Symantec said yesterday. "This was not a compromise of Symantec's code-signing certificates, network or infrastructure."

Adobe decommissioned its code-signing infrastructure and replaced it with an interim signing service that requires files to be manually checked before being signed, Arkin said. "We are in the process of designing and deploying a new, permanent signing solution."

It's hard to determine the implications of this incident, because we can't be sure that only the shared samples were signed without authorisation Botezatu said. "If the password dumper application and the open-source SSL library are relatively innocuous, the rogue ISAPI filter can be used for man-in-the-middle attacks - typical attacks that manipulate the traffic from the user to the server and vice-versa, among others," he said.



Share:

More from Techworld

More relevant IT news

Comments

Mike_Acker said: Adobe is going to find themselves in the dustbin if they dont clean up their act It may be too late already



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *