Accessibility

Security bulletin

Security Advisory: Revocation of Adobe code signing certificate

Release date:September 27, 2012

Last updated:October 4, 2012

Vulnerability identifier: APSA12-01

Summary

Adobe is investigating what appears to be the misuse of an Adobe code signing certificate. Adobe has revoked the certificate on October 4 for all software code signed after July 10, 2012 (00:00 GMT). Adobe has issued updates signed using a new digital certificate for all affected products.

The following certificate has been revoked and the certificate revocation list (CRL) is available at http://csc3-2010-crl.verisign.com/CSC3-2010.crl:

  • sha1RSA certificate
  • Issued to Adobe Systems Incorporated
  • Issued by VeriSign Class 3 Code Signing 2010 CA
  • Serial Number: 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88
  • sha1 Thumbprint: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c
  • Valid from December 14, 2010 5:00 PM PST (GMT -8:00) to December 14, 2012 4:59:59 PM PST (GMT -8:00)

Affected software versions

The vast majority of Adobe customers will not be impacted by this issue. However, some customers, in particular administrators in managed Windows environments, may need to take certain action. To determine whether you or your organization are impacted, please refer to the support page on the Adobe website.

Details

Adobe is investigating what appears to be the misuse of an Adobe code signing certificate. Adobe is aware at this time of two malicious utilities from a single source that appeared to be digitally signed using a valid Adobe code-signing certificate.

The first malicious utility is pwdump7 v7.1.  This utility extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay.dll.  The sample we received included the two files separate and individually signed.

PwDump7.exe:
MD5 hash: 130F7543D2360C40F8703D3898AFAC22

File size: 81.6 KB (83,648 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:40 PM PDT (GMT -7:00)

MD5 hash of file with signature removed: D1337B9E8BAC0EE285492B89F895CADB

libeay32.dll
MD5 hash: 095AB1CCC827BE2F38620256A620F7A4
File size: 999 KB (1,023,168 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:13 PM PDT (GMT -7:00)

MD5 hash of file with signature removed: A7EFD09E5B963AF88CE2FC5B8EB7127C

The second malicious utility, myGeeksmail.dll, appears to be a malicious ISAPI filter. Unlike the first utility, we are not aware of any publicly available versions of this ISAPI filter.

myGeeksmail.dll
MD5 hash: 46DB73375F05F09AC78EC3D940F3E61A
File size: 80.6 KB (82,624 bytes)
Signature timestamp: Wednesday, July 25, 2012 8:48:59 PM (GMT -7:00)

MD5 hash of file with signature removed: 8EA2420013090077EA875B97D7D1FF07

Adobe has shared information about these files with partners in the security community, including participants in the Microsoft Active Protections Program (MAPP) to enable them to quickly develop detection and quarantine methods to protect against the inappropriately signed utilities. For more information related to this issue, please refer to the following blog post.

Adobe has revoked the certificate on October 4 for all software code signed after July 10, 2012 (00:00 GMT). Adobe has issued updates signed using a new digital certificate for all affected products.

The following certificate has been revoked and the certificate revocation list (CRL) is available at http://csc3-2010-crl.verisign.com/CSC3-2010.crl:

  • sha1RSA certificate
  • Issued to Adobe Systems Incorporated
  • Issued by VeriSign Class 3 Code Signing 2010 CA
  • Serial Number: 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88
  • sha1 Thumbprint: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c
  • Valid from December 14, 2010 5:00 PM PST (GMT -8:00) to December 14, 2012 4:59:59 PM PST (GMT -8:00)

Note: The revocation of the certificate affects the Windows platform and three Adobe AIR applications (Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services) that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms.