In my vainer moments, I’ve been known to say “I’m almost always right and I almost always wish I wasn’t” but that fits what was revealed yesterday by Adobe. Their code-signing infrastructure got hacked and now you have to worry about some really bad software out there that your computers will think are valid, safe applications from Adobe. One of them is pwdump which gets Windows passwords.
Ever since Flame, I’ve been saying that if Microsoft’s update infrastructure got hacked, that it was only a matter of time before another vendor’s did too. And that’s what this is all about. The methods are different but both boil down to exploiting mistakes Microsoft and Adobe made in their PKI used to sign code.
The reason this is so bad is that it allows the bad guy to trick your systems into running really bad code that looks like it came from Adobe – but you get that right? It really stinks though because no matter how good you maintain your systems you are still at the mercy of the security of your software vendors. They sneeze but you get the cold.
How can you stop this particular threat?
More importantly how can you deploy some strategic technologies and controls to address the risk of compromised code signatures and vendor update infrastructures?
I’ll be posting tactical information at my blog (
www.ultimatewindowssecurity.com/blog) as it becomes available. Then on Wednesday, I’m hosting a “crash” webinar to discuss this particular Adobe incident but also look at the broader picture in terms of how to pre-emptively control your exposure to the mistakes of your software vendors and/or when they get hacked. (In all fairness no one is safe from getting breached.)
Please watch my
blog (or subscribe to my Twitter/FaceBook/LinkedIn feeds) for up to the minute information and register now for Wednesday’s webinar with Russ Ernst from Lumension: “Code Signing Debacle 2.0: A Hacked Adobe Server and Its Impact on Us All”.