In the wake of Adobe’s warning, Thursday, about a high profile compromise on its network, security experts say the incident raises troubling questions about the extent of the breach at a company that makes software running on hundreds of millions of computers.
Adobe said, in an official statement, that the breach was limited to a single build server and that the attackers did not have access to any of the company’s source code repositories. Writing on Thursday, Brad Arkin, Adobe’s Senior Director of Product Security And Privacy, reassured customers that the company’s source code wasn’t stolen, nor did the hackers have access to code for any of Adobe’s core products like Adobe Reader or Flash.
However, security experts said the nature of the attack – which Adobe has described as having the characteristics of an “APT” – or advanced persistent threat – make it difficult to know what attackers did or did not have access to.
Writing on the SANS Internet Storm Center (ISC) blog on Friday, ISC handler Joel Esler said that Arkin and Adobe’s security team are very competent and highly regarded but “you never know.” “There is one thing we are sure of, we don’t know the extent of the damage and hope there was nothing more compromised than what Adobe has found in their investigation,” he wrote.
David Aitel, CEO of Immunity Inc. and an expert on exploiting weaknesses in software and network defenses voiced similar concerns, noting that the details that are public about the breach aren’t encouraging.
“If you put yourself in the hacker’s position you realize how much they must have known about Adobe internals to perform the hack they performed,” Aitel wrote in an e-mail. “And if they had that kind of access it’s very hard to say that they were limited in their access and are completely removed from the network.”
On Thursday, Adobe released a security advisory informing customers that it will revoke a code signing certificate that was compromised in the attack and misused to sign malicious applications. Adobe plans to revoke the certificate on October 4, affecting software signed with the certificate after July 10, 2012. In the coming days, the company will issue updates affected products using a new digital certificate.
Part of the challenge is that Adobe’s internal investigation of the breach is ongoing. Adobe said it is investigating the misuse of the certificate to sign two malicious programs, identified as pwdump7 v7.1, a utility that extracts password hashes from the Windows operating system. The second file, myGeeksmail.dll, is a malicious ISAPI filter, though Adobe said it does not know of any signed versions of that file in the wild.
The company said that it has many layers of security around its code signing process. The private keys associated with the Adobe code signing certificates were stored in Hardware Security Modules (HSMs) that were kept in physically secure facilities. All entities authorized to request digital signatures were provisioned according to an established procedure that verified the identity of the entity and verified that the release engineering environment met the relevant assurance criteria. All code signing requests were submitted via mutually authenticated Transport Layer Security (TLS) connections to the code signing service and were performed only if the requesting entity came from the originally provisioned IP address, the company wrote.
Nevertheless, attackers were able to identify a build server within the company that had access to the code signing service and that was improperly (read “insecurely”) configured. Through some lapse in Adobe’s internal controls, the vulnerable configuration was not detected prior to the server requesting access to the code signing service.
Adobe said that the account used to sign the malicious applications was a dedicated account with access to only one product. Adobe has identified the affected products: Adobe Muse, the Adobe Story AIR applications and the Acrobat.com desktop services that run on both Windows and Macintosh.
The account couldn’t have been used to access Adobe source code for any other products and the company said it has reviewed all activity made to the source code repository and saw no source code changes or insertions that would indicate tampering with the company’s source code.
But those assurances only go so far and, so long as the company’s internal investigation is ongoing, Adobe’s many corporate customers are likely to worry.
“People are writing in to us asking what this impacts and what happened,” wrote Esler at SANS ISC.
Aitel said the big concern is that attackers with access deep within Adobe’s corporate network would steal source code.
“Adobe says no source code was lost but they cannot possibly know that, and as a hacker it would be one of your first targets,” Aitel wrote.
Writing for Adobe, Arkin said that his firm learned a great deal about “current issues with code signing and the impact of the inappropriate use of a code signing certificate.” Adobe said it plans to share what it has learned and start a discussion about the best way to protect users and minimize the impact on users in cases where the revocation of a certificate becomes necessary in the weeks ahead.