Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0953 Upcoming Revocation of Adobe code signing certificate 4 October 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adobe code signing certificate Publisher: Adobe Operating System: Windows Mac OS X Impact/Access: Reduced Security -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: http://www.adobe.com/support/security/advisories/apsa12-01.html - --------------------------BEGIN INCLUDED TEXT-------------------- Security Advisory: Upcoming Revocation of Adobe code signing certificate Release date:September 27, 2012 Vulnerability identifier: APSA12-01 SUMMARY Adobe is investigating what appears to be the misuse of an Adobe code signing certificate. Adobe plans to revoke the certificate on October 4 for all software code signed after July 10, 2012. Adobe is in the process of issuing updates signed using a new digital certificate for all affected products. The certificate revocation will affect the following certificate: sha1RSA certificate Issued to Adobe Systems Incorporated Issued by VeriSign Class 3 Code Signing 2010 CA Serial Number: 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 sha1 Thumbprint: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c Valid from December 14, 2010 5:00 PM PST (GMT -8:00) to December 14, 2012 4:59:59 PM PST (GMT -8:00) AFFECTED SOFTWARE VERSIONS The vast majority of Adobe customers will not be impacted by this issue. However, some customers, in particular administrators in managed Windows environments, may need to take certain action. To determine whether you or your organization are impacted, please refer to the support page on the Adobe website: http://helpx.adobe.com/x-productkb/global/certificate-updates.html DETAILS Adobe is investigating what appears to be the misuse of an Adobe code signing certificate. Adobe is aware at this time of two malicious utilities from a single source that appeared to be digitally signed using a valid Adobe code-signing certificate. The first malicious utility is pwdump7 v7.1. This utility extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay.dll. The sample we received included the two files separate and individually signed. PwDump7.exe: MD5 hash: 130F7543D2360C40F8703D3898AFAC22 File size: 81.6 KB (83,648 bytes) Signature timestamp: Thursday, July 26, 2012 8:44:40 PM PDT (GMT -7:00) MD5 hash of file with signature removed: D1337B9E8BAC0EE285492B89F895CADB libeay32.dll MD5 hash: 095AB1CCC827BE2F38620256A620F7A4 File size: 999 KB (1,023,168 bytes) Signature timestamp: Thursday, July 26, 2012 8:44:13 PM PDT (GMT -7:00) MD5 hash of file with signature removed: A7EFD09E5B963AF88CE2FC5B8EB7127C The second malicious utility, myGeeksmail.dll, appears to be a malicious ISAPI filter. Unlike the first utility, we are not aware of any publicly available versions of this ISAPI filter. myGeeksmail.dll MD5 hash: 46DB73375F05F09AC78EC3D940F3E61A File size: 80.6 KB (82,624 bytes) Signature timestamp: Wednesday, July 25, 2012 8:48:59 PM (GMT -7:00) MD5 hash of file with signature removed: 8EA2420013090077EA875B97D7D1FF07 Adobe has shared information about these files with partners in the security community, including participants in the Microsoft Active Protections Program (MAPP) to enable them to quickly develop detection and quarantine methods to protect against the inappropriately signed utilities. For more information related to this issue, please refer to the following blog post: http://blogs.adobe.com/conversations/2012/09/adobe-to-revoke-code-signing-certificate.html Adobe plans to revoke the certificate on October 4 for all software code signed after July 10, 2012. Adobe is in the process of issuing updates signed using a new digital certificate for all affected products. The certificate revocation will affect the following certificate: sha1RSA certificate Issued to Adobe Systems Incorporated Issued by VeriSign Class 3 Code Signing 2010 CA Serial Number: 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88 sha1 Thumbprint: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c Valid from December 14, 2010 5:00 PM PST (GMT -8:00) to December 14, 2012 4:59:59 PM PST (GMT -8:00) Note: The revocation of the certificate affects the Windows platform and three Adobe AIR applications (Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services) that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUGzlJe4yVqjM2NGpAQIRRA/+NQFr1eSWQGBO19WcNHmTXmwSoiE6XjJc 4krDOQDOl96DuZhY1+wTmxfu8wvCYHSROJwJaVZ0fHeZKFYoK7PlKn+V0cuiwzA0 9c1M8FucU/5FlsJOkQJPmRqEwrIVhxaoKXAiAVelshq5lZWsO183IcZJjmziNs9H 0tjSIVgB9tvOjdpyzXcIctWN9Qqlas19eZcTJ710D3fEFSnTvbe8tHZ4hRhwwtOw iS//A5sk0QBfB4cCWpSYHnRJgqM6BbrK3gBnMj2w+qHV372jeeLuMeT4u3b3Q0fF rIG2yaQHanBTwcI97PV8RQA32kfDLHa0T6r2w6S6mwx3BRZ6onXYW+0z4wFKBfoB mnCBGsPNqg1Wd6KyDJK7ZEk4yPIpBd3jDoHUej0pZcHesmK8xpwuM/GosHMHdkZR N+GI1byu3EDDHZKTipjt4ApgyUOKDy1NBTduJAdgA7z1zqGYmaMwRMaMkzCjBhsQ Xzm8GbD8hfp3hSGb1RkJ7PYWLcodQkgCdT+zuw2W/4QcrLo9LN/0/dXkb/OEllhy wrhjkhy9bNvLlKoQbQiKL7B7BLtrI4Rwq30eNwSppmuh8SqHW7UrOcRkn5Nhz1W0 +uI3zs0TNE3NOpO75Spp43VgCRCVvJmMyvUSxE+D3pGIy37SlYqenA5MASb2Hjhn 3Wt+JMMccss= =0fyT -----END PGP SIGNATURE-----