Adobe announced Thursday that it had decommissioned its existing Adobe code signing infrastructure, after the company was alerted to two malicious utilities that were digitally signed using a valid Adobe code signing certificate. A forensics investigation was undertaken as well.
In its investigation, Adobe discovered that a build server with access to the Adobe code signing infrastructure was compromised. However, they found no evidence that source code was stolen or affected by the breach. The company will revoke the compromised certificate and publish updates for Adobe software that uses the certificate.
According to Brad Arkin, senior director of product security and privacy, this will only affect Adobe software signed with the compromised certificate that runs on the Windows platform, and three Adobe AIR applications that run on both Windows and Mac platforms. No other Adobe software or platforms will be affected.
The first of the malicious utilities that Adobe received is "pwdump7 v7.1", which "extracts password hashes from the Windows OS and is sometimes used as a single file that statically links the OpenSSL library libeay32.dll." The second malicious utility, "myGeeksmail.dll", is believed to be an ISAPI filter, though Adobe is unaware of any publicly available versions of this filter. MD5 hash values and other information on the malicious utilities can be found in the Adobe security advisory.
The certificate revocation is planned for October 4, 2012, Thursday.