-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2012-0118

Title: Revocation of Adobe Code Signing Certificate [1]

Version history:
09.10.2012 Initial publication

Summary
=======
Adobe is investigating what appears to be the misuse of an Adobe code signing certificate. Adobe has revoked the certificate on October 4 for
all software code signed after July 10, 2012 (00:00 GMT). Adobe has issued updates signed using a new digital certificate for all affected products.

The following certificate has been revoked and the certificate revocation list (CRL) is available at http://csc3-2010-crl.verisign.com/CSC3-2010.crl:

sha1RSA certificate
Issued to Adobe Systems Incorporated
Issued by VeriSign Class 3 Code Signing 2010 CA
Serial Number: 15 e5 ac 0a 48 70 63 71 8e 39 da 52 30 1a 04 88
sha1 Thumbprint: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c
Valid from December 14, 2010 5:00 PM PST (GMT -8:00) to December 14,
2012 4:59:59 PM PST (GMT -8:00)


The revocation of the certificate affects the Windows platform and three Adobe AIR applications (Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services) that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms.


Vulnerable systems
==================
This issue has no impact on the security of your genuine Adobe software.


Original Details
================
Adobe is investigating what appears to be the misuse of an Adobe code signing certificate. Adobe is aware at this time of two malicious
utilities from a single source that appeared to be digitally signed using a valid Adobe code-signing certificate.

The first malicious utility is pwdump7 v7.1.  This utility extracts password hashes from the Windows OS and is sometimes used as a single
file that statically links the OpenSSL library libeay.dll.  The sample we received included the two files separate and individually signed.

PwDump7.exe:
MD5 hash: 130F7543D2360C40F8703D3898AFAC22

File size: 81.6 KB (83,648 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:40 PM PDT (GMT -7:00)

MD5 hash of file with signature removed: D1337B9E8BAC0EE285492B89F895CADB
libeay32.dll
MD5 hash: 095AB1CCC827BE2F38620256A620F7A4
File size: 999 KB (1,023,168 bytes)
Signature timestamp: Thursday, July 26, 2012 8:44:13 PM PDT (GMT -7:00)

MD5 hash of file with signature removed: A7EFD09E5B963AF88CE2FC5B8EB7127C

The second malicious utility, myGeeksmail.dll, appears to be a malicious ISAPI filter. Unlike the first utility, we are not aware of any publicly
available versions of this ISAPI filter.

myGeeksmail.dll
MD5 hash: 46DB73375F05F09AC78EC3D940F3E61A
File size: 80.6 KB (82,624 bytes)
Signature timestamp: Wednesday, July 25, 2012 8:48:59 PM (GMT -7:00)

MD5 hash of file with signature removed: 8EA2420013090077EA875B97D7D1FF07

Adobe has shared information about these files with partners in the security community, including participants in the Microsoft Active
Protections Program (MAPP) to enable them to quickly develop detection and quarantine methods to protect against the inappropriately signed
utilities. For more information related to this issue, please refer to the following blog post.

What can you do?
================
The vast majority of Adobe customers will not be impacted by this issue. However, some customers, in particular administrators in managed Windows environments, may need to take certain action. To determine whether you or your organization are impacted, please refer to the support page on the Adobe website. [1]

Screen your systems for files listed above.

Regularly check [1] and the blog post [3] for any update a tools that can help in identifying vulnerable  systems.

What to tell your users?
========================
N/A

More information
================
[1] http://www.adobe.com/support/security/advisories/apsa12-01.html
[2] http://csc3-2010-crl.verisign.com/CSC3-2010.crl
[3] http://blogs.adobe.com/conversations/2012/09/adobe-to-revoke-code-signing-certificate.html


Best regards,

CERT-EU (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement:
http://cert.europa.eu/cert/plainedition/en/cert_privacy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJQdD9tAAoJEPpzpNLI8SVogEkQALnVt3v2lV+i3S6pRdA/Q/Eq
N1eg6sf12GlAVefT2ACJ3QLcbSgenFkeSk2NwsuU84mT7HcuPIXvOIbcxt/hQrMQ
iUBsizv7yMScSmHCHE2Aqdu/Sq7ShuUeMnyOflN8SYNwM3BHnS0IifU5SCBDE5Ri
qJD7h54XTI9Eqqu3BbVfneeYeFlKPrbWg+dQOJZrcFyhXwPJOM11khtuZGURsbYV
UXw+PxKA1RwXB7TCgIdXlrvWDdcBuMCB3a2/ueBo0R9E8W9fVCsQG478zgzL6Bqd
ySVCnlr30w7v0AuAsOs64jvB9HVRfjGn0GA3IVjWplRk8VQO1qgay7tXaW2h3vWS
CgDpRuKIbzVG/V6M3pDgsbRuEOR6V+CDryQsCTvtC3EdqgKkboXETeFmi69198wV
G6bEhaz6v9AWmPDYdvFzL27aUgKPbEMCP1ED0IgQEYArB5kYEowf7EZYrSlKRAbl
aeCeHcqvfz/W+XrStYaU5BBtXLYaTAky+fcT6EcLZbk8OLm9PO0SPBEzB8niFNQ7
YfJsaIuGwzz7OkyLwNP5GM6gTeYhOz+yS/Pb4K4k7avZFkK817emcSo7OU90J2Ng
0ua5tlNzIBWEnAOXNyFrhNoOCICA5VvwnaUwO9UOJ7+g5f+ZJJL1XVLwedwHm3dX
P5KSgNkKHiXSFTt9Xtt/
=SD8L
-----END PGP SIGNATURE-----