Criminals have broken into an Adobe server and provided two pieces of malware with a digital certificate that attest to them being legitimate code. As a result of the breach, the company will revoke the certificate next Thursday and will update legitimate Adobe software that has been signed by the same certificate since July 10.
Adobe says that its legitimate software signed by the certificate is not at risk and that the hijacked certificate does not pose a general security threat.
[ Security expert Roger A. Grimes offers a guided tour of the latest threats and explains what you can do to stop them in "Fight Today's Malware," InfoWorld's Shop Talk video. | Keep up with key security issues with InfoWorld's Security Adviser blog and Security Central newsletter. ]
"The evidence we have seen has been limited to a single isolated discovery of two malicious utilities signed using the certificate and indicates that the certificate was not used to sign widespread malware," Adobe says in an FAQ on the situation.
But there could be another shoe or two yet to drop, says Andrew Storms, director of security operations for security vendor nCircle. "It seems probable that this situation is the result of a breach of Adobe's software release process," Storms says in a written statement. "If that's the case there could be other serious problems that haven't been found yet."
Adobe says it is working with security vendors so their products will be able to detect the malware that was signed by the compromised certificate and protect end users from the malware.
Adobe didn't say exactly what the malware was capable of doing, but noted that in general using stolen certificates to legitimize malware is a tactic used by sophisticated adversaries carrying out targeted attacks.
"As a result, we believe the vast majority of users are not at risk," Adobe says in a blog. Once executed such malware can escalate privileges for compromised machines and move the malware from machine to machine within a network.
Products that need updating are:
- Adobe Application Manager -- Enterprise Edition
- Adobe Provisioning Toolkit -- Enterprise Edition
- Report Builder -- Digital Marketing Suite
- SiteCatalyst Real-Time Dashboard -- Digital Marketing Suite
- Adobe Update Server Setup Tool
- Flash Media Server 4.5.3
- ColdFusion 10
- Flash Player
Also affected are three Adobe AIR applications -- Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services that run on both Windows and Macintosh