Adobe overhauls digital signing system post-attack
Software giant rushes to fix signing system following discovery of digitally signed malware.
Software giant Adobe is to overhaul its digital signing procedures after the discovery of two malware samples carrying the firm's digital certificate of approval.
The certificate's presence means the "malicious utilities" would have been treated as safe by end users' computers.
We believe the vast majority of users are not at risk.
In a blog post, confirming the discovery, Adobe said the malware had been traced back to a single source and that a "compromised build server" had been discovered with access to the firm's code signing infrastructure.
"We immediately decommissioned the existing Adobe code signing infrastructure and initiated a forensics investigation to determine how these signatures were created," said the blog post.
"We are proceeding with plans to revoke the certificate and publish updates for existing Adobe software signed using the impacted certificate."
The firm said signed samples of malware are often used in "highly targeted attacks", but said the "vast majority" of users were not at risk.
The software vendor has introduced an interim signing service, featuring an offline human verification stage, and revealed that it is working on a replacement system.
It will also be revoking all affected certificates, issued after 10 July 2012, on Thursday 4 October 2012.
How inkjet can transform your business
Get more out of your business by investing in the right printing technologyDownload now
Journey to a modern workplace with Office 365: which tools and when?
A guide to how Office 365 builds a modern workplaceDownload now
Modernise and transform your sales organisation
Learn how a modernised sales process can drive your businessDownload now
Your guide to managing cloud transformation risk
Realise the benefits. Mitigate the risksDownload now