Adobe revokes code-signing certificate after hack
Adobe is to revamp its code-signing certificate process after discovering malware that was signed with the code, meaning it would be treated as safe by computers.
According to Adobe, hackers accessed a compromised build server that was able to get code approval from the company’s code-signing system.
Code-signing certificates are cryptographic identifiers that are intended to confirm that executable software comes from the author and should be allowed to run.
A breach in the code-signing process means malware could be trusted and installed, leading Adobe to decommission certain certificates, which will no longer work after 4 October.
“We are proceeding with plans to revoke the certificate and publish updates for existing Adobe software signed using the impacted certificate,” the company said in a blog post detailing the issue.
Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks
“This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications [Adobe Muse and Story AIR applications and Acrobat.com desktop services] that run on both Windows and Macintosh.”
According to Adobe, most end users will not be at risk, but the company said the malware could have been used in targeted attacks trying to get into company networks.
“Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise,” Adobe said. “As a result, we believe the vast majority of users are not at risk.”
Adobe also said it set up an interim system to continue issuing certificates as and when needed as the investigation continues, but that it would include manual checks.
“The interim signing solution includes an offline human verification to ensure that all files scheduled for signature are valid Adobe software,” the company said. “We are in the process of designing and deploying a new, permanent signing solution.”
According to security company F-Secure, the breached certificate (serial number 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88) has been used to sign more than 5,000 different files, but the vast majority of them were legitimate.
“Our sample repository has 5127 files that have been signed with the compromised Adobe certificate,” said F-Secure’s Mikko Hypponen on Twitter, adding that there are “only three bad files”.