Feeds

back to article Adobe scrambles to revoke stolen cert

Adobe has revealed an attack that compromised some of its software development servers, resulting in its code signing certificate being used to disguise malware as Adobe software. The attackers compromised a build server, Adobe says in this statement, which had “access to the Adobe code signing infrastructure”. The build server …

COMMENTS

This topic is closed for new posts.
Alert

Is this new?

I've seen quite a bit of malware that causes system crashes, slows things down, and opens back doors. All of it was signed with Adobe certificate. Some of it is was even integrated into the browser and would prompt to install or update itself when visiting certain sites. Another vector was files with .pdf extension. Upon trying to open one, you would be prompted with a request to download the malware. I'm not sure in what way this is news.

6
1
Gold badge
Coat

Re: Is this new?

... causes system crashes, slows things down, and opens back doors. All of it was signed with Adobe certificate.

It didn't also display a splash screen saying "Adobe Air" by any chance?

5
0
Silver badge
Thumb Up

@solidsoup

Think you may of needed to put a joke alert on your comment as it's likely to go flying over many peoples heads....then again, it's no joke.

1
0
Gold badge

Re: @solidsoup

Yup - he is right. As far as I can tell from the quality, malware is all the free software Adobe is making these days..

1
0
Bronze badge

How can this happen?

Anyone with a clue about security knows that you never, ever connect critical machines like that to the internet.

The simplest secure method I have seen is that the dev and test network has an internal-only cert for testing code and various builds, when a build passes it gets burned to a disc and taken to the build server where it is then built and burned onto another disc which gets put uploaded as the release version.

Nearly every machine (Including servers) contains a DVD-RW drive so all its costing you is the hour or so to pay someone to make the discs and about $0.05 for the disc itself. Helps with auditing too, as you know exactly who would have access to the code-signing cert.

3
0
Silver badge

Re: How can this happen?

Trouble is those writers tend to start faltering over time. And even then, optical drives (and the logical alternative, USB thumb drives) become infection vectors in and of themselves, particularly ones capable of penetrating the air-gap (think Stuxnet--it used USB to jump an air-gap).

So, think a rootkit on the publishing server, secretly infects any optical disc written and any USB drive inserted, this jumps the airgap, gets inserted, infects the build server, sniffs out the private keys, then goes on to infect the return vector, which waits to find a network connection, and then sends the key juice back.

Let's face it; if an adversary really, REALLY wants to have at it, cross every network you have to reach it. Even Sneakernet.

0
1
Linux

Re: How can this happen?

Or use a server that doesn't run Windows...

2
4
Anonymous Coward

Re: Or use a server that doesn't run Windows...

You have knowledge that the server was running Windows? Please share....

0
0
Anonymous Coward

Re: Or use a server that doesn't run Windows...

"The attackers compromised a build server"

So it seems likely that it was

0
2
Anonymous Coward

Re: Or use a server that doesn't run Windows...

@ AC 08:00...Build Server

that would make sense if the compromised products only ran on Windows, but Adobe state this also affects 3 Adobe Air products running on Mac. So it's not a dead cert to be a Windows platform (sorry, I could't resist!)

Yes, it was likely to be running Windows, but Danny 4 @ 07:02 was just repeating the old nonsense that Windows is insecure while Linux is not.

And more to the point, what about the point-of-entry machine that the bad guys first compromised and used to attack into the Build Server?

1
0

Re: Or use a server that doesn't run Windows...

It was a actually in reply to the attack vectors suggested by Charles 9. I am not aware of the server OS used. Debian servers have been attacked in the past but this was via a compromised dev account and not bugs in Linux. Bad configuration of the Adobe server seems likely.

Though all software can have bugs and be poorly configured, I'm pretty sure most are happier their servers run Linux than IIS. I know I am.

0
0
Silver badge
FAIL

Re: How can this happen?

"Nearly every machine (Including servers) contains a DVD-RW drive"

Which just happens to be in three data centres 400 miles from the developers.

There are LOTS of methods of securing the process, some have more weaknesses than others. None are perfect!

0
0
Bronze badge

Re: How can this happen?

Put the server in the Lead Dev's office or some other office inside the main building, since it doesn't need network access, it can be located anywhere. It could even be a basic quad core desktop, build servers don;t need much in the way of resources when all you are building is releases.

0
0
Bronze badge

Re: How can this happen?

@charles 9

I know there are holes in every security system, but I suggested my solution because it would be simple to implement without needing much in the way of additional resources.

0
0
Coat

It's a dead cert.

3
0
Silver badge

Right, get out. We'll send the coat on.

1
0
Bronze badge
Facepalm

According to wiki...

Adobe is...

... "a natural building material made from sand, clay, water, and some kind of fibrous or organic material (sticks, straw, and/or manure), which the builders shape into bricks (using frames) and dry in the sun

Probably more secure imo..

0
0
Anonymous Coward

Re: According to wiki...

Sounds like there's a LOT of manure in the mix they use !

1
0

How do you tell the difference?

How do you tell the difference between the real software and the malware?

2
0
Anonymous Coward

Re: How do you tell the difference?

The difference between the real software and malware is when the malware disguise to be the real software.

0
0

Re: How do you tell the difference?

real Adobe software is BLOATWARE

0
0
Anonymous Coward

Questions and observations

The press release dated 27th September notes that :

"The revocation of the impacted certificate for all code signed after July 10, 2012 is planned for 1:15 pm PDT (GMT -7:00) on Thursday October 4, 2012."

So, the compromise of the cert occurred on 10th July, but they only discovered this by chance when some malware signed by an Adobe cert was submitted some months later. That's not exactly a shining example of security auditing is it.

The also state that:

"We believe the threat actors established a foothold on a different Adobe machine and then leveraged standard advanced persistent threat (APT) tactics to gain access to the build server "

Apart from the weasel words (why can't they say "attackers" rather than "Threat Actors"), this suggests that a separate machine was compromised and used for some period of time before the compromise of the cert. Has that machine been isolated and what was the mechanism of access to that machine?

"Scrambling" (as per the article title) suggests a fast reaction. Good that they took immediate action upon validation of the compromised cert, but they don't say what date that was and they don't explain why it will take at least 7 days (27th Sept to 4th Oct) to revoke and implement a new Cert. Hardly seems to be "scrambling" when it takes 7 days...

0
1
Anonymous Coward

Re: they don't explain why it will take at least 7 days

Seems pretty quick to me, but then I can't get an infected desktop replaced within 7 days in my environment.

0
0
Silver badge
Paris Hilton

Malware signed as Adobe software

Adobe - Does exactly what it says on the tin

Paris because she actually comes with a certificate of sorts herself so I am led to believe!

0
0
Bronze badge
Mushroom

air pollution

I can't recall ever using a piece of software as glitchy as Air (trust me, I'm trying, even though it's Friday), which is probably why it was chosen for so many public sector online training fiascos. Horses for courses.

0
0
Bronze badge

Warehouse apps please.

Its all a bit bawk bawk bawk innit?.

0
0
Silver badge
Thumb Down

Hopefully, this will put paid to ...

the daily bloody updates they send us.

A real pain.

0
0
This topic is closed for new posts.