“We recently received two malicious utilities that appeared to be digitally signed using a valid Adobe code signing certificate,” said Brad Arkin, senior director of product security and privacy at Adobe. “The discovery of these utilities was isolated to a single source. As soon as we verified the signatures, we immediately decommissioned the existing Adobe code signing infrastructure and initiated a forensics investigation to determine how these signatures were created. We have identified a compromised build server with access to the Adobe code signing infrastructure.”
Despite the presence of the words “hacker” and “malware” when describing the problem, the company is taking pains to mitigate any panic factor by putting the scope of the issue into perspective. Adobe said that it has “strong reason” to believe that the issue does not present a general security risk. The revocation is prompted by a single isolated discovery of two malicious utilities signed using the certificate, and evidence shows that the certificate was not used to sign widespread malware, it hastened to add. And, Adobe’s investigation to date has shown no evidence that any other sensitive information – including Adobe source code or customer, financial or employee data – was compromised, it noted.
Just to be on the safe side, Adobe said that it is working closely with the security community to allow anti-virus or intrusion detection and prevention vendors to develop protections for customers to detect and block the inappropriately signed utilities. In addition, Adobe is working internally and with external partners – including law enforcement – to gather data, examine the findings and “determine the appropriate course of action.”
In the meantime, some security vendors are working on a recommended plan of action.
“The Adobe digital signature compromise is a further example of an evolving threat that can evade software security. It could be a rootkit or Advanced Persistent Threat attack that injected the malware into this particular server, and embedded hardware security is the only way to detect anomalies of behavior caused by malware in the pre-boot stage,” said Joseph Souren, vice president and GM for EMEA at Wave Systems. “A Trusted Platform Module (TPM) chip stores the signatures of every piece of software on the machine and identifies abnormal activity.”
He added, “If enterprises have the signature of the legitimate software in the TPM and a management console, they can determine if the actual software trying to boot matches that signature. They can then discover any changes in the BIOS or the master boot record. If the signatures don't match, or if changes are detected, then IT will be alerted allowing the enterprise to contain the threat risk.”
The revocation of the certificate affects the Windows platform and three Adobe AIR applications that run on both Windows and Macs. But the company also said that only a small number of customers, in particular administrators in managed Windows environments, may need to take certain action. But customers should not notice anything out of the ordinary during the certificate revocation process, and the issue will have no impact on the security of genuine Adobe software.
Adobe said that it will soon issue an update signed using a new digital certificate for all affected products. The revocation begins October 4 for all software code signed after July 10, 2012.