I was under the impression that we'd put the re-signed builds on the LWS site already. Most about a month ago, although some more recently. Which specific software did you download with the compromised certificate and when did you do so?
Manager, Tier 3 Tech Support
I have done two downloads this morning just to double check, Design Standard CS6 and InDesign 8, both still have evidence of being signed with the VeriSign RSA certificate with fingerprint fdf01dd3f37c66ac4c779d92623c77814a07fe4c.
The thumbprint mentioned above is indeed the same that the revoked certificate has, we are currently investigating this case.
In the meantime, can you try running the "Customer Response Tool" and observe (and let us know) the results reported by the tool on your machine
Tool is located under the section "Desktop products with updates".
Thank you for confirming the certificate found in newly downloaded software from the LWS is the one that has been revoked by Adobe.
Unfortunately I work in an environment where the use of the reporting tool is not allowed by the organisation. I am therefore unable run the Customer Response Tool against a production machine with installed software. I would be happy however to download and test other products and share with you the results of scanning those for the certificate. If this would be of use please let me know.
In the meantime I look forward to hearing the results of your investigation.
Hi Tim -
I've been looking into this and downloaded a couple products from the LWS site and I'm unable to reproduce the issue you are seeing. Can you provide me with a few more details? I'm specifically looking for information on how you're inspecting these binaries to determine they are signed with the revoked certificate. can you tell me which files you are looking at or what your doing to show this? If we could pick one product to focus on that would help us narrow this down. You mentioned InDesign was exhibitng this. Let's focus on that - can you share the details of the binaries you have - date/time stamps, file size, etc. you can also email me directly at email@example.com if that is more convienient.
Thanks for your response. For the benefit of the thread I used the AnalyzePESig tool from Didier Stevens to initially scan the files to identify the security ceritifcates, then confirmed the certificates' details by simply interrogating them in Explorer. I will send you the results of AnalyzePESig and a sample screenshot of the certificate directly.
The certificate that was compromised was only revoked for binaries that were signed after 7/10/12. So even though the binaries you are seeing here have the same certificate, they will not be impacted as they were all signed prior to 7/10.
This is noted in the blog post regarding this:
“The revocation of the impacted certificate for all code signed after July 10, 2012 is planned for 1:15 pm PDT (GMT -7:00) on Thursday October 4, 2012. To determine what this means for current installations and what corrective steps (if any) are necessary, please refer to the support page on Adobe.com. The certificate revocation itself will be included in the certificate revocation list (CRL) published by VeriSign; no end user or administrator action is required to receive the updated CRL.”
You can find the complete blog post here: http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.h tml
This software is safe to use and has valid certificates & binaries – just a nuance in the revocation policy.