Release date:September 27, 2012
Last updated:October 4, 2012
Vulnerability identifier: APSA12-01
Adobe is investigating what appears to be the misuse of an Adobe code signing certificate. Adobe has revoked the certificate on October 4 for all software code signed after July 10, 2012 (00:00 GMT). Adobe has issued updates signed using a new digital certificate for all affected products.
The following certificate has been revoked and the certificate revocation list (CRL) is available at http://csc3-2010-crl.verisign.com/CSC3-2010.crl:
The vast majority of Adobe customers will not be impacted by this issue. However, some customers, in particular administrators in managed Windows environments, may need to take certain action. To determine whether you or your organization are impacted, please refer to the support page on the Adobe website.
Adobe is investigating what appears to be the misuse of an Adobe code signing certificate. Adobe is aware at this time of two malicious utilities from a single source that appeared to be digitally signed using a valid Adobe code-signing certificate.
The first malicious utility is pwdump7 v7.1. This utility extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay.dll. The sample we received included the two files separate and individually signed.
PwDump7.exe:
MD5 hash: 130F7543D2360C40F8703D3898AFAC22
File size: 81.6 KB (83,648 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:40 PM PDT (GMT -7:00)
MD5 hash of file with signature removed: D1337B9E8BAC0EE285492B89F895CADB
libeay32.dll
MD5 hash: 095AB1CCC827BE2F38620256A620F7A4
File size: 999 KB (1,023,168 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:13 PM PDT (GMT -7:00)
MD5 hash of file with signature removed: A7EFD09E5B963AF88CE2FC5B8EB7127C
The second malicious utility, myGeeksmail.dll, appears to be a malicious ISAPI filter. Unlike the first utility, we are not aware of any publicly available versions of this ISAPI filter.
myGeeksmail.dll
MD5 hash: 46DB73375F05F09AC78EC3D940F3E61A
File size: 80.6 KB (82,624 bytes)
Signature timestamp: Wednesday, July 25, 2012 8:48:59 PM (GMT -7:00)
MD5 hash of file with signature removed: 8EA2420013090077EA875B97D7D1FF07
Adobe has shared information about these files with partners in the security community, including participants in the Microsoft Active Protections Program (MAPP) to enable them to quickly develop detection and quarantine methods to protect against the inappropriately signed utilities. For more information related to this issue, please refer to the following blog post.
Adobe has revoked the certificate on October 4 for all software code signed after July 10, 2012 (00:00 GMT). Adobe has issued updates signed using a new digital certificate for all affected products.
The following certificate has been revoked and the certificate revocation list (CRL) is available at http://csc3-2010-crl.verisign.com/CSC3-2010.crl:
Note: The revocation of the certificate affects the Windows platform and three Adobe AIR applications (Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services) that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms.
