Security, et al

This code signing hack at Adobe and the available information still leave a lot of unanswered questions.  No one I’ve talked to has been able to get to the bottom of it.  Here’s what have put together.

One of their code-signing servers got hacked and was used to sign some malicious software.  We know of 3 files and their hashes which are listed at http://www.adobe.com/support/security/advisories/apsa12-01.html. 

Were other files signed?  We do not know.

How can I protect against the 3 files we know were signed?  Create Software Restrictions in Group Policy based on the file hashes.

How can I protect against any other files that were signed? Intelligent whitelisting – join me for my webinar tomorrow to learn more.

Can you add the relevant Adobe certificate to your Untrusted Certificates store?  Adobe says doing that won’t stop the malware signed with the certificate but will create a “negative impact on the user experience and execution of valid Adobe software signed with the impacted certificate. Adobe does not recommend using the Untrusted Certificate Store in this situation.” http://forums.adobe.com/message/4741942#4741942. 

What exactly is the “negative impact”?  I assume legit Adobe apps won’t run…

What do I need to do?  Adobe says we need to install updated versions of about 30 applications.  http://helpx.adobe.com/x-productkb/global/certificate-updates.html#main-pars_header_8

What will happen if I don’t update those applications?  What is the risk of not updating? I can find no explanation at all on this.  The FAQ specifically asks this question but I don’t get much from the answer: Adobe is issuing updates for all impacted products to provide customers with software code signed using a new digital certificate. To determine whether an update signed using a new digital certificate is available for your Adobe software installation, please refer to Security certificate updates.

I’m going to cover all the issues in more depth in tomorrow’s webinar and provide short term tactical suggestions and long term strategic recommendations for this new kind of threat that leverages compromised software vendor update infrastructures to deliver and/or trick your computers into running malicious code.

Lumension has agreed to sponsor this webinar and their software update and application whitelisting experts will be joining me.

Please don’t miss this timely real training for free (TM) session.