Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0953
Upcoming Revocation of Adobe code signing certificate
4 October 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe code signing certificate
Publisher: Adobe
Operating System: Windows
Mac OS X
Impact/Access: Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Original Bulletin:
http://www.adobe.com/support/security/advisories/apsa12-01.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Advisory: Upcoming Revocation of Adobe code signing certificate
Release date:September 27, 2012
Vulnerability identifier: APSA12-01
SUMMARY
Adobe is investigating what appears to be the misuse of an Adobe code signing
certificate. Adobe plans to revoke the certificate on October 4 for all
software code signed after July 10, 2012. Adobe is in the process of issuing
updates signed using a new digital certificate for all affected products.
The certificate revocation will affect the following certificate:
sha1RSA certificate
Issued to Adobe Systems Incorporated
Issued by VeriSign Class 3 Code Signing 2010 CA
Serial Number: 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88
sha1 Thumbprint: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c
Valid from December 14, 2010 5:00 PM PST (GMT -8:00) to December 14, 2012
4:59:59 PM PST (GMT -8:00)
AFFECTED SOFTWARE VERSIONS
The vast majority of Adobe customers will not be impacted by this issue.
However, some customers, in particular administrators in managed Windows
environments, may need to take certain action. To determine whether you or your
organization are impacted, please refer to the support page on the Adobe
website: http://helpx.adobe.com/x-productkb/global/certificate-updates.html
DETAILS
Adobe is investigating what appears to be the misuse of an Adobe code signing
certificate. Adobe is aware at this time of two malicious utilities from a
single source that appeared to be digitally signed using a valid Adobe
code-signing certificate.
The first malicious utility is pwdump7 v7.1. This utility extracts password
hashes from the Windows OS and is sometimes used as a single file that
statically links the OpenSSL library libeay.dll. The sample we received
included the two files separate and individually signed.
PwDump7.exe:
MD5 hash: 130F7543D2360C40F8703D3898AFAC22
File size: 81.6 KB (83,648 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:40 PM PDT (GMT -7:00)
MD5 hash of file with signature removed: D1337B9E8BAC0EE285492B89F895CADB
libeay32.dll
MD5 hash: 095AB1CCC827BE2F38620256A620F7A4
File size: 999 KB (1,023,168 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:13 PM PDT (GMT -7:00)
MD5 hash of file with signature removed: A7EFD09E5B963AF88CE2FC5B8EB7127C
The second malicious utility, myGeeksmail.dll, appears to be a malicious ISAPI
filter. Unlike the first utility, we are not aware of any publicly available
versions of this ISAPI filter.
myGeeksmail.dll
MD5 hash: 46DB73375F05F09AC78EC3D940F3E61A
File size: 80.6 KB (82,624 bytes)
Signature timestamp: Wednesday, July 25, 2012 8:48:59 PM (GMT -7:00)
MD5 hash of file with signature removed: 8EA2420013090077EA875B97D7D1FF07
Adobe has shared information about these files with partners in the security
community, including participants in the Microsoft Active Protections Program
(MAPP) to enable them to quickly develop detection and quarantine methods to
protect against the inappropriately signed utilities. For more information
related to this issue, please refer to the following blog post:
http://blogs.adobe.com/conversations/2012/09/adobe-to-revoke-code-signing-certificate.html
Adobe plans to revoke the certificate on October 4 for all software code signed
after July 10, 2012. Adobe is in the process of issuing updates signed using a
new digital certificate for all affected products.
The certificate revocation will affect the following certificate:
sha1RSA certificate
Issued to Adobe Systems Incorporated
Issued by VeriSign Class 3 Code Signing 2010 CA
Serial Number: 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88
sha1 Thumbprint: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c
Valid from December 14, 2010 5:00 PM PST (GMT -8:00) to December 14, 2012
4:59:59 PM PST (GMT -8:00)
Note: The revocation of the certificate affects the Windows platform and three
Adobe AIR applications (Adobe Muse and Adobe Story AIR applications as well as
Acrobat.com desktop services) that run on both Windows and Macintosh. The
revocation does not impact any other Adobe software for Macintosh or other
platforms.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUGzlJe4yVqjM2NGpAQIRRA/+NQFr1eSWQGBO19WcNHmTXmwSoiE6XjJc
4krDOQDOl96DuZhY1+wTmxfu8wvCYHSROJwJaVZ0fHeZKFYoK7PlKn+V0cuiwzA0
9c1M8FucU/5FlsJOkQJPmRqEwrIVhxaoKXAiAVelshq5lZWsO183IcZJjmziNs9H
0tjSIVgB9tvOjdpyzXcIctWN9Qqlas19eZcTJ710D3fEFSnTvbe8tHZ4hRhwwtOw
iS//A5sk0QBfB4cCWpSYHnRJgqM6BbrK3gBnMj2w+qHV372jeeLuMeT4u3b3Q0fF
rIG2yaQHanBTwcI97PV8RQA32kfDLHa0T6r2w6S6mwx3BRZ6onXYW+0z4wFKBfoB
mnCBGsPNqg1Wd6KyDJK7ZEk4yPIpBd3jDoHUej0pZcHesmK8xpwuM/GosHMHdkZR
N+GI1byu3EDDHZKTipjt4ApgyUOKDy1NBTduJAdgA7z1zqGYmaMwRMaMkzCjBhsQ
Xzm8GbD8hfp3hSGb1RkJ7PYWLcodQkgCdT+zuw2W/4QcrLo9LN/0/dXkb/OEllhy
wrhjkhy9bNvLlKoQbQiKL7B7BLtrI4Rwq30eNwSppmuh8SqHW7UrOcRkn5Nhz1W0
+uI3zs0TNE3NOpO75Spp43VgCRCVvJmMyvUSxE+D3pGIy37SlYqenA5MASb2Hjhn
3Wt+JMMccss=
=0fyT
-----END PGP SIGNATURE-----