What you need to know about the Adobe certificate compromise

Adobe announced plans to revoke one of its code-signing certificates after it was compromised and used to make malicious attacks appear to be legitimate Adobe tools. The question businesses and consumers need to ask themselves is what impact this might have on them, or what needs to be done to avoid attacks using the compromised certificate.

Adobe announced plans to revoke the effected code-signing certificate effective next Thursday—October 4, 2012. In a blog post explaining the action, Adobe stated that customers should not notice any adverse consequences as a result of the revocation process.

Adobe claims that the impact so far seems to be limited to the discovery of two malicious utilities signed using the compromised Adobe certificate. The blog post states that Adobe is not aware of widespread malware attacks using the certificate. Adobe also states that its investigation so far shows no evidence of any other sensitive information—like customer data, financial information, or Adobe source code—has been compromised.

What does this mean for the Adobe software you have installed on your PC or mobile device? The answer is nothing. The compromised code-signing certificate is being used to make some malicious tools look like legitimate Adobe software, but it has no impact on genuine Adobe software you have bought or downloaded.

According to Adobe, the certificate revocation affects only a small portion of the total Adobe portfolio and customers. The revoked certificate affects the Windows platform, and three Adobe AIR applications that run on both Windows and Mac OS X.

Adobe will issue updates signed using a new, uncompromised digital certificate for the affected products. It is also working closely with security vendors to make sure security software is equipped to detect and block malware using the revoked certificate.

This is another example of attackers targeting the low-hanging fruit. Microsoft has greatly improved the overall security of Windows, and other operating system platforms are as secure or better. Attackers go after smaller, third-party tools like Java, or the many ubiquitous tools from Adobe instead. Or—as in this case—mount an attack based on the brand recognition and trust businesses and consumers have for Adobe tools by compromising a digital certificate and signing malicious code to appear as if its legitimate Adobe software.

As is generally the case, having a reliable cross-device security tool in place is probably your best first line of defense. When new vulnerabilities are discovered, or new threats are detected, operating system and software developers take time to evaluate the issue and develop an appropriate response. The process can take days, weeks, or sometimes months. But, security tools are usually updated within hours with the information necessary to detect, identify, and avoid the threat in the meantime.

Subscribe to the Security Watch Newsletter