[SSL Observatory] Fwd: Adobe code-signing cert compromised from an HSM
Lee Fisher
blibbet at gmail.com
Mon Oct 1 13:30:23 PDT 2012
FYI
-------- Original Message --------
Subject: [DC206] Adobe code-signing cert compromised from an HSM
Date: Mon, 1 Oct 2012 12:13:43 -0700
From: Duane Blanchard <dblanchard at gmail.com>
To: list at dc206.org
One of Adobe's code-signing certs was compromised from a physically
secure HSM last week. The cert was used, among other things, to sign a
Windows utility that dumped Windows password hashes.
"Adobe plans to revoke the certificate on October 4 for all software
code signed after July 10, 2012. Adobe is in the process of issuing
updates signed using a new digital certificate for all affected
products."
I'm curious what prevents Adobe from revoking the cert immediately.
Also, the security advisory below gives the "MD5 hash of [the] file
with [the] signature removed." I don't see how the signature could be
removed, even when one holds the secret key. Could someone please
explain that?
Adobe's blog post on it:
http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html
Adobe's security advisory on it:
http://www.adobe.com/support/security/advisories/apsa12-01.html
Thanks,
Duane
More information about the Observatory
mailing list