FYI -------- Original Message -------- Subject: [DC206] Adobe code-signing cert compromised from an HSM Date: Mon, 1 Oct 2012 12:13:43 -0700 From: Duane Blanchard <[email protected]> To: [email protected]
One of Adobe's code-signing certs was compromised from a physically secure HSM last week. The cert was used, among other things, to sign a Windows utility that dumped Windows password hashes. "Adobe plans to revoke the certificate on October 4 for all software code signed after July 10, 2012. Adobe is in the process of issuing updates signed using a new digital certificate for all affected products." I'm curious what prevents Adobe from revoking the cert immediately. Also, the security advisory below gives the "MD5 hash of [the] file with [the] signature removed." I don't see how the signature could be removed, even when one holds the secret key. Could someone please explain that? Adobe's blog post on it: http://blogs.adobe.com/asset/2012/09/inappropriate-use-of-adobe-code-signing-certificate.html Adobe's security advisory on it: http://www.adobe.com/support/security/advisories/apsa12-01.html Thanks, Duane
