Adobe is currently investigating what appears to be the inappropriate use of an Adobe code signing certificate for Windows. We plan to revoke the impacted certificate on October 4, 2012 for all software code signed after July 10, 2012. Customers should not notice anything out of the ordinary during the certificate revocation process. Our investigation to date has shown no evidence that any other sensitive information—including Adobe source code or customer, financial or employee data—was compromised.
What does this mean for you?
The revocation of the certificate affects the Windows platform and three Adobe AIR applications* that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms. The vast majority of customers of Adobe software for Windows will also not be affected. A small number of customers, in particular administrators in managed Windows environments, may need to take certain action. To determine whether you or your organization are impacted, please refer to the support page on Adobe.com.
Is your Adobe software vulnerable because of this issue? No. This issue has no impact on the security of your genuine Adobe software. Are there other security risks to you? We have strong reason to believe that this issue does not present a general security risk. The evidence we have seen has been limited to a single isolated discovery of two malicious utilities signed using the certificate and indicates that the certificate was not used to sign widespread malware.
In addition to the revocation of the certificate, we have taken the following steps to protect all users and minimize the impact of the revocation of the certificate for our customers:
- We are working closely with the security community to allow security software providers, such as antivirus or intrusion detection and prevention vendors, to develop protections for customers to detect and protect from the inappropriately signed utilities.
- We are in the process of updating Adobe software by re-signing applications using a new code signing certificate to ensure existing product installations and new downloads continue to function without interruption.
- We are working diligently both internally and with external partners, including law enforcement, to gather data, examine our findings, and determine the appropriate course of action.
Adobe takes security very seriously, and we are committed to determining how the signatures misusing the Adobe code signing certificate were created given the stringent security measures in place to protect our certificate store and our infrastructure in general.
* Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services
- Adobe Customer Support
- Adobe Secure Software Engineering Team Blog Post: Inappropriate Use of Adobe Code Signing Certificate