Valid Adobe Certificate Used to Sign Malicious Utilities Common in Targeted Attacks

[JMH]

Adobe announced today it was the victim of an APT-style attack after two malicious utilities commonly used in targeted attacks for privilege escalation and pivoting within a network were discovered signed by a valid Adobe digital certificate. Adobe said it will revoke the certificate next week.
Adobe products and services senior director of security Brad Arkin said in a statement that a build server with access to the Adobe code signing infrastructure was compromised and is the source of the issue.
The certificate will be revoked on Oct. 4; this affects only Adobe software signed with the cert after July 10 running on Windows, as well as three Adobe Air applications that run on Windows and the Macintosh platform.

http://threatpost.com/en_us/blogs/v...icious-utilities-used-targeted-attacks-092712

 

[JMH]

What's the Meaning of This: Adobe Certificate Attack

The news yesterday that Adobe had been compromised and that the attackers were able to get valid Adobe signatures on a pair of malware utilities is one of the more worrisome and troubling stories in what has become a year of huge hacks and historic change in the security industry. Adobe was forthcoming with many of the details of the attack, but the ones that were omitted are the ones that really make a difference in this instance.
As in most of these cases, what we know is mostly the results of the attack. We know that the attackers found a weak spot somewhere on Adobe's corporate infrastructure and found a way in. Adobe has not identified what the vulnerability was, where the compromised machine sat on its network or how the attackers were able to compromise it in the first place. Was it a phishing email, a la the RSA hack? Or was it something less pedestrian? We don't know.
We do know that once the attackers were inside, they began moving around until they found the machine that they were really interested in: a build server. They got there by using
what Brad Arkin, Adobe's top security and privacy official, said were techniques typically seen from APT-style attackers.

http://threatpost.com/en_us/blogs/whats-meaning-adobe-certificate-attack-092812

 

[AceInfinity]

Seems the more known this is becoming, the more people are just constantly going at this flaw with Windows :) It should be top priority for the Microsoft dev to fix this. Especially since it's very easy for others to take advantage of it... I've actually figured it out already as well. Digital certificate transfers are not impossible. At first when I exposed this flaw, i'd assumed that they would've jumped at it to fix it probably in a Windows update, and integrate the fix by default at the core with the official release of Windows 8.

Certificates signed with an MD5 hash are not to be trusted. Taking the optional header with the certificate embedded, and replacing it with the bytes of the data within the to-be-cloned certificate to match that sector size and the hash, is basically the same as little red riding hood and the wolf as the granny... It's far too trusted, and that's where the mistake is made.

Don't trust the certificates as a means of validation for bad vs. good files.