Adobe hacked and exploited
Adobe's Director of Product Security and Privacy, Brad Arkin, has summarised the current state of his company's investigations into the inappropriate use of Adobe certificates in a blog post. Unknown intruders are thought to have hacked an internal server in order to provide specific malware programs with a valid digital signature. These tools were then apparently used for targeted attacks.
One of the signed programs is the pwdump7 tool that allows password hashes to be extracted from a Windows system so they can then be cracked on a more powerful system. The second sample is an "ISAPI filter". These filters are special extensions for Microsoft's IIS web server software that can add almost any kind of functionality to the web server – such as the ability to intercept its communication with users. Arkin doesn't specify who was attacked or what happened as a result. However, the extent of the attackers' efforts points towards a high-profile or at least a lucrative target.
Arkin also neglects to answer the question of how the attackers intruded into Adobe's systems. What is known is that they compromised an internal build server that had the ability to issue code-signing requests. This server and the complete code-signing infrastructure have now been decommissioned. Arkin said that the private key that is associated with the compromised certificate was not stolen because it is kept in a hardware security module that was not breached. No other information or source code appears to have been stolen.
On Thursday 4 October, Adobe plans to respond by revoking the affected certificate for any software that was signed after 10 July 2012. The revocation affects Adobe applications on the Windows platform as well as three Adobe AIR applications that are available for Windows and Mac systems (Adobe Muse, Adobe Story AIR Applications and Acrobat.com Desktop Services). The company has provided more detailed information about the affected software on a dedicated support page. The certificate revocation will not affect the majority of customers, promised Adobe.
Arkin discourages users from manually adding the affected certificate (issued to "Adobe Systems Incorporated", serial number 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88) to the Windows Untrusted Certificate Store. The executive explained that, while this doesn't stop an attack, it will have "a negative impact on the user experience" of Adobe software users.