Full Disclosure mailing list archives
Adobe certificate server hacked - code-signing certs getting revoked on Oct .4th
From: Ray P <sixsigma98 () hotmail com>
Date: Fri, 28 Sep 2012 01:27:26 +0000
http://helpx.adobe.com/x-productkb/global/certificate-updates.html The Adobe guidance says you don't have to do anything if you use Flash and Reader. But if you manage Flash and Reader (and other products) in an enterprise, you do. Wait, what? It sounds like they are obliquely assuming that everyone is letting Adobe products auto-update so they will get a re-signed version automatically. But if you don't allow auto-updates, you've got a week to replace everything. The question is whether you'll just get a certificate warning if trying to install or if you'll get a certificate warning when you run the affected applications. If the latter, there are going to be a lot of upset people, if it's even possible to be more upset with Adobe, that is. :-) I'm betting we now know what that stealth Flash update was last week, the one that showed up by auto-update and had no release notes. My favorite from the FAQ: Q: If Adobe software is not vulnerable and customers should not notice anything out of the ordinary during the revocation process, why do I need to update my Adobe software? A: Adobe is issuing updates for all impacted products to provide customers with software code signed using a new digital certificate. To determine whether an update signed using a new digital certificate is available for your Adobe software installation, please refer to Security certificate updates. Ummmm, Mr. Adobe, how did your response answer the question you asked yourself?
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Adobe certificate server hacked - code-signing certs getting revoked on Oct .4th Ray P (Sep 27)