2 Replies Latest reply on Oct 1, 2012 7:13 PM by Kirsten Harris

    How do we affirmatively distrust your certificate?

    rebecca.menessec Level 1

      Nothing in your FAQ and nothing I can find with Google search appears to provide an example of your now known-compromised code-signing certificate(s). As Windows admins, some of us need to find out which certificates were affected, and we need easily imported copies of the certificates so they can be placed in the Windows "Untrusted Certificates" list and/or other lists of affirmatively distrusted certificates.

       

      And we needed this starting when the news broke, if not earlier.

       

      Your assertion that "Are there other security risks to you? We have strong reason to believe that this issue does not present a general security risk" ( http://helpx.adobe.com/x-productkb/global/certificate-updates.html ) is false, and creates the risk that people will believe all they need to do, if anything, is install updated versions of your software.

       

      If you're merely planning to issue revocation via CRL and/or OCSP, that is extremely dangerous. CRL and OCSP revocation are known to be completely unreliable.

        • 1. Re: How do we affirmatively distrust your certificate?
          David__B Adobe Employee

          Hi Rebecca,

           

          This document has some additional info:

           

          http://www.adobe.com/support/security/advisories/apsa12-01.html

           

          The issue has been reported to MAPP as mentioned in the article.

           

          -Dave

          • 2. Re: How do we affirmatively distrust your certificate?
            Kirsten Harris Adobe Employee

            The code signing certificate that will be revoked is described in detail here:

             

            http://www.adobe.com/support/security/advisories/apsa12-01.html

            • Serial Number: 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88
            • sha1 Thumbprint: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c

             

            Regarding your statement that as a IT admin you need copies of the certificates so they can be placed in the Windows "Untrusted Certificates" list and/or other lists of affirmatively distrusted certificates, Adobe does not recommend the untrusted store in this situation.  The ASSET blog post contains the following paragraph on the topic:

             

            http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.h tml

             

            "Our internal testing indicates that moving the impacted Adobe certificate to the Windows Untrusted Certificate Store does not block threat actors from executing the malicious utilities on a victim machine. However, this configuration does have a negative impact on the user experience and execution of valid Adobe software signed with the impacted certificate. Adobe does not recommend using the Untrusted Certificate Store in this situation."

             

            Something that we do recommend is evaluating SRP / Applocker restrictions based on the hash sums of the known bad files.  Again from the ASSET blog post:

             

            "In addition to working with your security vendors to ensure you have the latest updates containing protections against these utilities, system administrators for managed desktop Windows OS environments can create a Software Restriction Policy (SRP‹via Group Policy) that disallows the execution of the malicious utilities and blocks them on the basis of the individual file hashes."

             

            Even without these steps, we have shared the samples with all the major security vendors via MAPP, so you can work with your security vendor/provider to determine if protections are already in place for your environment.

             

             

            Only one instance of the signed malicious utilities have been identified worldwide.  The nature of the utilities and manner in which they are generally used supports our assessment that the vast majority of users of Adobe software are not at risk.

             

            The Adobe certificate will be revoked for all binaries signed since July 10, 2012 and the certificate revocation will be published on the VeriSign CRL effective October 4, 2012.  We agree that the code signing and PKI world is full of inefficiencies and plan to talk more about our lessons learned in a few weeks.  (See the last paragraph of the ASSET blog post.)  Watch the ASSET blog for more details.