Adobe released a statement from Brad Arkin, Sr. Director of Product Security and Privacy – that confirms a company build server was compromised and was allowing malicious utilities to be signed with their certificate. The recent discovery prompted a forensic discovery after which the signing infrastructure was immediately decommissioned. The company also states that the certificate in question will be revoked on October 4th. The revocation will only affect systems on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh.

Customers are notified that they should not notice anything out of the ordinary during the certificate revocation process. The company published further details about what to expect and a utility to help determine what steps, if any, a user can take are available on their Adobe support page.

Malicious applications target signed execution in order to gain escalated privileges and access that make their dirty work possible. After analyzing the attacks Adobe feels that the vast majority of users are not at risk. Adobe has shared samples of the attacks with the Microsoft Active Protection Program (MAPP) in order to provide the best information possible to detect and prevent these attacks.

“The first malicious utility we received is pwdump7 v7.1. This utility extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay32.dll. The sample we received included two separate and individually signed files. We believe the second malicious utility, myGeeksmail.dll, is a malicious ISAPI filter. Unlike the first utility, we are not aware of any publicly available versions of this ISAPI filter. More details describing the impacted certificate and the malicious utilities, including MD5 hash values for the files, are included in the Adobe security advisory.”

Since taking the signing authority down, an interim service was put in place to service and sign affected components that possess the affected key.

A forensic investigation is ongoing. Arkin continues:

“ We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server and request signatures for the malicious utilities from the code signing service via the standard protocol used for valid Adobe software.”

“Through this process we learned a great deal about current issues with code signing and the impact of the inappropriate use of a code signing certificate. We plan to share our lessons learned as well as foster a conversation within the industry about the best way to protect users and minimize the impact on users in cases where the revocation of a certificate becomes necessary (as in this example). Please stay tuned for more details in the coming weeks.”