Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Inappropriate Use of Adobe Code Signing Certificate (adobe.com)
84 points by jjguy on Sept 27, 2012 | hide | past | favorite | 13 comments


I was impressed by the detail and level of disclosure in this post. Very little PR speak, very little vagueness and handwaving - Adobe acknowledged the severity and demonstrated how important they viewed their response.

I have to give a nod of admiration for the professionalism of their handling of such a situation.


My favorite part is that they shut off their code signing infrastructure "within minutes". Good job Adobe! They are also saying that the root cause was essentially "somebody didn't follow procedures for setting up secure build servers, and we didn't catch it." Such a typical security threat: humans doing the wrong stuff.


Get rid of humans: problem solved.

At least that's what the singularity will think.


Brad Arkin is a pro. He comes from vulnerability research, not PR.


"Through this process we learned a great deal about current issues with code signing and the impact of the inappropriate use of a code signing certificate. We plan to share our lessons learned as well as foster a conversation within the industry about the best way to protect users and minimize the impact on users in cases where the revocation of a certificate becomes necessary (as in this example)."

I look forward to this as well.


"and then leveraged standard advanced persistent threat (APT) tactics" - would be interested to know more on this point.


Agreed! Thanks adobe for treating us like real people!


I wonder how many sub $100million non-security-focussed companies

  A) Properly use an HSM at the root of their PKI.  (Following 
     all the procedures for sharding their XofY control of the device)

  B) Have " corporate standards for a build server"

  C) Routinely audit their build servers to ensure they adhere 
     to those corporate standards.
At least the HSM limited the damage to the compromised servers and, of course, all the code that got signed in the interim.


Most small companies cannot afford to invest the time into this kind of thing (obviously).


B and C could be something as similar as having a VM with a standard set of build tools and checking nothing else has been added, which should be in reach of even small companies.


Perhaps storing a hash of the VM's hard disk?


Having just looked at adobe 'cracks' recently for CS5 and CS6 I wonder why these entries (destined for the HOSTS file) 127.0.0.1 crl.verisign.net 127.0.0.1 tss-geotrust-crl.thawte.com Are there... The cracks work by replacing a DLL but also by blocking connections to all the servers it thinks are activation servers (key validation) I tested removing these CRL entries and the software had no issues. Just speculating wildly but maybe this was a planned attack a long time coming (given that these entries have existed since CS5)


I don't follow, how is a crack for adobe software related to breaking into an adobe build server?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: