[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Adobe certificate server hacked - code-signing certs getting revoked on Oct .4th
From: Ray P <sixsigma98 () hotmail ! com>
Date: 2012-09-28 1:27:26
Message-ID: BAY167-W91638EA31059E5F738260CDD820 () phx ! gbl
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
http://helpx.adobe.com/x-productkb/global/certificate-updates.html
The
Adobe guidance says you don't have to do anything if you use Flash and
Reader. But if you manage Flash and Reader (and other products) in an
enterprise, you do.
Wait, what?
It sounds like they are
obliquely assuming that everyone is letting Adobe products auto-update
so they will get a re-signed version automatically. But if you don't
allow auto-updates, you've got a week to replace everything. The
question is whether you'll just get a certificate warning if trying to
install or if you'll get a certificate warning when you run the affected
applications. If the latter, there are going to be a lot of upset
people, if it's even possible to be more upset with Adobe, that is. :-)
I'm
betting we now know what that stealth Flash update was last week, the
one that showed up by auto-update and had no release notes.
My favorite from the FAQ:
Q: If Adobe software is not vulnerable and customers should not notice anything out of the \
ordinary during the revocation process, why do I need to update my Adobe software?
A: Adobe is issuing updates for all impacted products to provide customers with software code \
signed using a new digital certificate. To determine whether an update signed using a new \
digital certificate is available for your Adobe software installation, please refer to Security \
certificate updates.
Ummmm, Mr. Adobe, how did your response answer the question you asked yourself?
[Attachment #5 (text/html)]
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:Tahoma
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>
http://helpx.adobe.com/x-productkb/global/certificate-updates.html<br><br>The
Adobe guidance says you don't have to do anything if you use Flash and
Reader. But if you manage Flash and Reader (and other products) in an
enterprise, you do.<br><br>Wait, what?<br><br>It sounds like they are
obliquely assuming that everyone is letting Adobe products auto-update
so they will get a re-signed version automatically. But if you don't
allow auto-updates, you've got a week to replace everything. The
question is whether you'll just get a certificate warning if trying to
install or if you'll get a certificate warning when you run the affected
applications. If the latter, there are going to be a lot of upset
people, if it's even possible to be more upset with Adobe, that is. :-)<br><br>I'm
betting we now know what that stealth Flash update was last week, the
one that showed up by auto-update and had no release notes.<br><br>My favorite from the \
FAQ:<br><br><strong>Q: If Adobe software is not vulnerable and customers should not notice \
anything out of the ordinary during the revocation process, why do I need to update my Adobe \
software?</strong><br><br><strong>A:</strong> Adobe is issuing updates for all impacted \
products to provide customers with software code signed using a new digital certificate. To \
determine whether an update signed using a new digital certificate is available for your Adobe \
software installation, please refer to <a \
href="http://helpx.adobe.com/x-productkb/global/certificate-updates.html" \
target="_blank">Security certificate updates</a>.<br><br>Ummmm, Mr. Adobe, how did your \
response answer the question you asked yourself? </div></body> </html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic