Adobe overhauls digital signing system post-attack

published 28 September 2012

Software giant Adobe is to overhaul its digital signing procedures after the discovery of two malware samples carrying the firm's digital certificate of approval.

The certificate's presence means the "malicious utilities" would have been treated as safe by end users' computers.

We believe the vast majority of users are not at risk.

In a blog post, confirming the discovery, Adobe said the malware had been traced back to a single source and that a "compromised build server" had been discovered with access to the firm's code signing infrastructure.

"We immediately decommissioned the existing Adobe code signing infrastructure and initiated a forensics investigation to determine how these signatures were created," said the blog post.

"We are proceeding with plans to revoke the certificate and publish updates for existing Adobe software signed using the impacted certificate."

The firm said signed samples of malware are often used in "highly targeted attacks", but said the "vast majority" of users were not at risk.

The software vendor has introduced an interim signing service, featuring an offline human verification stage, and revealed that it is working on a replacement system.

It will also be revoking all affected certificates, issued after 10 July 2012, on Thursday 4 October 2012.

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.

Get the ITPro daily newsletter