Adobe certificate server hacked - code-signing certs getting revoked on Oct .4th

[Ray P <sixsigma98 () hotmail com>]

http://helpx.adobe.com/x-productkb/global/certificate-updates.html

The
 Adobe guidance says you don't have to do anything if you use Flash and 
Reader. But if you manage Flash and Reader (and other products) in an 
enterprise, you do.

Wait, what?

It sounds like they are 
obliquely assuming that everyone is letting Adobe products auto-update 
so they will get a re-signed version automatically. But if you don't 
allow auto-updates, you've got a week to replace everything. The 
question is whether you'll just get a certificate warning if trying to 
install or if you'll get a certificate warning when you run the affected
 applications. If the latter, there are going to be a lot of upset 
people, if it's even possible to be more upset with Adobe, that is. :-)

I'm
 betting we now know what that stealth Flash update was last week, the 
one that showed up by auto-update and had no release notes.

My favorite from the FAQ:

Q: If Adobe software is not vulnerable and customers should not notice anything out of the ordinary during the 
revocation process, why do I need to update my Adobe software?

A: Adobe is issuing updates for all impacted products to provide customers with software code signed using a new 
digital certificate. To determine whether an update signed using a new digital certificate is available for your Adobe 
software installation, please refer to Security certificate updates.

Ummmm, Mr. Adobe, how did your response answer the question you asked yourself?                                         

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/