Adobe is in the process of revoking certain digital certificates after discovering two malicious utilities signed by valid Adobe certs.
Adobe's senior director of security Brad Arkin, wrote in a blog post that attackers had compromised an Adobe build server (and not the certificates themselves) that was able to make code signing requests to Adobe's actual code signing service.
The breach occurred on July 10, so any certs signed with the impacted key from then until October 4 will be revoked, Arkin wrote.
Adobe Downplays Impact
"This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications [Adobe Muse, Adobe Story AIR, and Acrobat.com] that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms," he said.
"This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications [Adobe Muse, Adobe Story AIR, and Acrobat.com] that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms," he said.
So far, Adobe has found only two malicious utilities, pwdump7 v7.1 and myGeeksmail.dll, bearing the certificates. Adobe told Securityweek that "the evidence indicates that the certificate was not used to sign widespread malware."
The Story's Not Over, Security Experts Say
But although the current scope is small, some security experts warn that the impact could be huge.
Kaspersky's Roel Schouwenberg questioned why Adobe had backdated the cert revocation to July 10, when the two malicious files were signed two weeks later.
"Is Adobe 100 percent confident no other malicious files were signed?" he asked. "We should view this as along the same lines as the RSA attack."
Furthermore, he said, no one knows who the attackers are really targetting. "So far nothing suggests that Adobe was the real target."
F-Secure's Sean Sullivan agreed that although "there's definitely no need to panic at this point" about getting infected by a stolen Adobe signature, we shouldn't move on too quickly.
"Being the build server, it makes one wonder if any developer computers have been compromised to allow code to be injected into Adobe's apps. Injecting a backdoor into Adobe's apps would be so much more valuable than spoofing its cert," he said.
In a statement, Paul Zimski of Lumension said that with the right certificates an attacker "could theoretically impersonate a legitimate software update, and spread malware payloads through these mechanisms."
"The installed software is going to think its downloading a valid update, but it’s actually a false update signed with a fraudulent, but real certificate. I’m not saying that’s what was done here, but this is the Holy Grail of what could happen."
The issue now, Zimski said, is where the attackers are going next.
Similarly Wes Miller, research VP at Directions on Microsoft, said the fact that attackers now have code signing certificate for code "from one of the most pervasive companies on the planet, and one that is constantly patching" means it will take quite a bit of time for Adobe to revoke the certificates on a global level. And in the meantime, "how large of a threat vector does this pose"
Adobe posted the malicious utilities on the Microsoft Active Protection Program (MAPP) so security vendors could detect and block them. At the moment, using an up-to-date anti-virus is your best bet, Schouwenberg said.
But although the current scope is small, some security experts warn that the impact could be huge.
Kaspersky's Roel Schouwenberg questioned why Adobe had backdated the cert revocation to July 10, when the two malicious files were signed two weeks later.
"Is Adobe 100 percent confident no other malicious files were signed?" he asked. "We should view this as along the same lines as the RSA attack."
Furthermore, he said, no one knows who the attackers are really targetting. "So far nothing suggests that Adobe was the real target."
F-Secure's Sean Sullivan agreed that although "there's definitely no need to panic at this point" about getting infected by a stolen Adobe signature, we shouldn't move on too quickly.
"Being the build server, it makes one wonder if any developer computers have been compromised to allow code to be injected into Adobe's apps. Injecting a backdoor into Adobe's apps would be so much more valuable than spoofing its cert," he said.
In a statement, Paul Zimski of Lumension said that with the right certificates an attacker "could theoretically impersonate a legitimate software update, and spread malware payloads through these mechanisms."
"The installed software is going to think its downloading a valid update, but it’s actually a false update signed with a fraudulent, but real certificate. I’m not saying that’s what was done here, but this is the Holy Grail of what could happen."
The issue now, Zimski said, is where the attackers are going next.
Similarly Wes Miller, research VP at Directions on Microsoft, said the fact that attackers now have code signing certificate for code "from one of the most pervasive companies on the planet, and one that is constantly patching" means it will take quite a bit of time for Adobe to revoke the certificates on a global level. And in the meantime, "how large of a threat vector does this pose"
Adobe posted the malicious utilities on the Microsoft Active Protection Program (MAPP) so security vendors could detect and block them. At the moment, using an up-to-date anti-virus is your best bet, Schouwenberg said.
Source : securitywatch.pcmag.com
Posts
No comments:
Post a Comment