Adobe is revoking a code signing certificate after it determined it was used by cybercriminals to fraudulently validate two malicious applications running on Windows.
Our investigation to date has shown no evidence that any other sensitive information—including Adobe source code or customer, financial or employee data—was compromised.
Brad Arkin, senior director of security for Adobe products and services
Code signing certificates are used to ensure the validity of software. A fraudulent certificate enables an attacker to spoof the validity of an application enabling it to evade antivirus and other security software.
Adobe said the utilities –Pwdump, which extracts password hashes from Windows and myGeeksmail, a malicious ISAPI filter that can be used to move in a network—came from a single source. Investigators traced the utilities to a compromised build server with access to the Adobe code signing infrastructure.
"Sophisticated threat actors use malicious utilities like the signed samples during highly targeted attacks for privilege escalation and lateral movement within an environment following an initial machine compromise," wrote Brad Arkin, senior director of security for Adobe products and services in a blog post. "As a result, we believe the vast majority of users are not at risk."
Adobe plans to revoke the impacted certificate on Oct. 4 for all software code signed after July 10.
Arkin said forensics investigators believe the certificate was not used to sign widespread malware and was limited to the two malicious utilities.
"Our investigation to date has shown no evidence that any other sensitive information—including Adobe source code or customer, financial or employee data—was compromised," wrote Arkin.
The revocation of the certificate affects the Windows platform as well as Adobe Muse, Adobe Story AIR applications and Acrobat.com desktop service on Mac operating systems. Consumers will receive automated updates, but IT admins managing Adobe products on the Windows platform will need to install product updates, Adobe said.
Arkin said users should not notice any disturbances in Adobe products while the certificate is revoked. Security teams for organizations operating Adobe products must download and deploy the updates themselves. IT security teams can assess their risk at the Adobe support page.
Andrew Storms, director of security operations at San Francisco-based vulnerability management vendor nCircle, said the list of applications affected by the certificate revocation update is lengthy.
"There are a slew of desktop products that all need to be updated," Storms said. "This is a code signing certificate that would be used heavily and an IT admin will have to figure out how to test and deploy the update for everybody."
Affected products include ColdFusion, Flash Media Server and Adobe Application Manager, among others. According to the security bulletin, Adobe is working with VeriSign to revoke the certificate.
"Adobe takes security very seriously, and we are committed to determining how the signatures misusing the Adobe code signing certificate were created given the stringent security measures in place to protect our certificate store and our infrastructure in general," Arkin wrote.
News Director Robert Westervelt contributed to this report.