Blog

  • Hackers Breached Adobe Server in Order to Sign Their Malware

    posted by Keito
    2012-09-29 17:01:17
    'The ongoing security saga involving digital certificates got a new and disturbing wrinkle on Thursday when software giant Adobe announced that attackers breached its code-signing system and used it to sign their malware with a valid digital certificate from Adobe.

    Adobe said the attackers signed at least two malicious utility programs with the valid Adobe certificate. The company traced the problem to a compromised build server that had the ability to get code approved from the company’s code-signing system.

    Adobe said it was revoking the certificate and planned to issue new certificates for legitimate Adobe products that were also signed with the same certificate, wrote Brad Arkin, senior director of product security and privacy for Adobe, in a blog post.

    “This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh,” Arkin wrote. “The revocation does not impact any other Adobe software for Macintosh or other platforms.”

    The three affected applications are Adobe Muse, Adobe Story AIR applications, and Acrobat.com desktop services.

    The company said it had good reason to believe the signed malware wasn’t a threat to the general population, and that the two malicious programs signed with the certificate are generally used for targeted, rather than broad-based, attacks.

    Arkin identified the two pieces of malware signed with the Adobe certificate as “pwdump7 v7.1″ and “myGeeksmail.dll.” He said that the company passed them on to anti-virus companies and other security firms so that they could write signatures to detect the malware and protect their customers, according to the post.

    Adobe didn’t say when the breach occurred, but noted that it was re-issuing certificates for code that was signed with the compromised signing key after July 10, 2012. Also, a security advisory the company released with its announcement showed that the two malicious programs were signed on July 26 of this year. Adobe spokeswoman Liebke Lips told Wired that the company first learned of the issue when it received samples of the two malicious programs from an unnamed party on the evening of Sept. 12. The company then immediately began the process of deactivating and revoking the certificate.

    The company said the certificate will be re-issued on Oct. 4, but didn’t explain why it would take that long.

    Digital certificates are a core part of the trust that exists between software makers and their users. Software vendors sign their code with digital certificates so that computers recognize a program as legitimate code from a trusted source. An attacker who can sign their malware with a valid certificate can slip past protective barriers that prevent unsigned software from installing automatically on a machine.

    Revoking the certificate should prevent the signed rogue code from installing without a warning.

    Stuxnet, a sophisticated piece of malware that was designed to sabotage Iran’s nuclear program, was the first malicious code discovered in the wild to be using a valid digital certificate. In that case the attackers – believed to have been working for the U.S. and Israel – stole digital certificates from two companies in Taiwan to sign part of their code.

    Adobe said that it stored its private keys for signing certificates in a hardware security module and had strict procedures in place for signing code. The intruders breached a build server that had access to the signing system and were able to sign their malicious programs in that way.

    In addition to concerns about the compromised certificate, the breach of the build server raises concerns about the security of Adobe’s source code, which might have been accessible to the attackers. But Arkin wrote that the compromised build server had access to source code for only one Adobe product. The company did not identify the product but said that it was not the Flash Player, Adobe Reader, Shockwave Player or Adobe AIR. Arkin wrote that investigators found no evidence that the intruders had changed source code and that “there is no evidence to date that any source code was stolen.”

    Questions about the security of Adobe’s source code came up earlier this month after Symantec released a report about a group of hackers who broke into servers belonging to Google and 33 other companies in 2010. The attackers were after source code for the companies. Adobe was hacked around the same time, but has never indicated if the same attackers that hit Google were responsible for hacking them.

    Symantec found evidence that the attackers who struck Google had developed and used an unusually large number of zero-day exploits in subsequent attacks against other companies. The attackers used eight zero-day exploits, five of which were for Adobe’s Flash Player. Symantec said in its report that such a large number of zero-days suggested that the attackers might have gained access to Adobe’s source code. But Arkin insisted at the time that no Adobe software had been stolen.

    “We are not aware of any evidence (direct or circumstantial) indicating bad guys have [source code],” he told Wired at the time.'

    http://www.wired.com/threatlevel/2012/09/adobe-digital-cert-hacked/
  • Adobe Flash Player exits Android Google Play store

    posted by Keito
    2012-08-15 16:20:47
    'Adobe is pulling its Flash Player plug-in from Android's Google Play store.

    It follows a decision to halt development of the software for mobile devices.

    The plug-in allows multimedia content created using the Flash format to be viewed via a web browser.

    Adobe will continue to develop the player for PCs. It will also support Air - a tool which lets developers turn web-based applications using Flash into standalone mobile apps.

    The Flash Player had been popular on Google Play - with two-thirds of users giving it a top score.

    But Adobe said it was removing the option to install the plug-in because it was likely to exhibit "unpredictable behaviour" when used with the latest version of Android, known as Jelly Bean.

    It also suggested that smartphone owners who had upgraded to the latest system should uninstall the Flash Player if it was already on their device.

    Although Adobe is no longer actively developing the player for Android, Blackberry or Symbian devices - and never released it for Apple iOS or Windows Phone handsets - it has said it would continue to offer security updates and bug fixes for existing versions until September 2013.

    Adobe v Apple...

    Adobe first offered the Flash Player for smartphones in 2010 but faced a setback when Apple refused to allow it to be installed on iPhones and iPads.

    An article published by Apple's former chief executive Steve Jobs suggested supporting Flash would compromise the reliability, battery life and security of his firm's products.

    Instead he promoted the HTML 5 web standard, urging Adobe to focus on it as an alternative.

    YouTube's decision to encode its videos in HTML 5 also helped speed up the format's adoption.

    When Adobe announced its decision to end development of the mobile Flash Player it acknowledged that HTML 5 had become "the best solution for creating and deploying content in the browser across mobile platforms" and said it would boost its investment in the format.

    Flash lives on...

    Adobe's chief technology officer, Kevin Lynch, told the BBC it was "too theoretical" to speculate about whether its mobile Flash Player would have found more support had it handled its development differently.

    But he stressed the firm was still confident about its future on PCs.

    "With Flash we're focusing on two areas," he said.

    "One is console quality gaming - this is really bringing the level of gaming to the web that you can see on consoles today and with Flash we actually reach more people than any of the gaming platforms. That includes working on 3D technology inside the browser.

    "The second area is premium copy-protected video for people who have high value video, like movie studios or cable companies, who want viewers to watch the video anywhere but also want to make sure its protected."

    He added that some of these innovations could ultimately find their way to HTML 5 through his firm's contribution to the Webkit Open Source Project - a web browser engine which renders webpages - and its involvement in the platform's standards body W3C (World Wide Web Consortium).

    User backlash...

    Recent comments left on Google Play show some users are unhappy that Adobe was ending support for the Flash Player at this point.

    "We all understand the world is transitioning to HTML 5 but cutting Flash support this early is commercial suicide," wrote one user.

    Another posted: "Flash was the reason I bought a Galaxy Tab instead of iPad! I can't believe Adobe and Google would do this."

    While a third said: "This is the single biggest difference between the Android and iOS web experience. Seemingly half the web is still based on Flash, and my device is now powerless to view any of that content."

    Several also noted that some other apps, including the BBC's iPlayer for Android, also request that Flash Player be installed.

    The BBC said it was working on an update.

    "The BBC is working with Adobe on an alternative video player for Android, ensuring audiences with Android devices continue to enjoy BBC iPlayer," said Daniel Danker, general manager of On-Demand at the BBC.

    "We do have concerns about fragmentation of Android devices and new updates to the Android platform, which have created an inconsistent video playback experience for our audience, and we are working with Google to find ways to address this."'

    http://www.bbc.com/news/technology-19267140
  • GIMP Magazine Launching Fall 2012

    posted by Keito
    2012-07-21 17:26:24
    It took a while to adjust to Gimp, after having been first trained in Adobe Photoshop. Once you stop treating it as a Photoshop replacement/free-libre open source copy of the Adobe image editor, you soon realise that it stands up as a fantastic editor regardless. I've been using it for nearly a decade now, and loving every minute.

    "GIMP is an amazing image editing software package similar to Adobe Photoshop, but licensed as free and open source. The latest version of GIMP (2.8) has been downloaded over 6.5 Million times in just two months, so this is a huge community of skilled & dedicated users.

    GIMP Magazine features the amazing works created from this world wide community. Photography, digital arts, graphic arts, design, tips & tricks, step by step tutorials, master classes, help desk questions, book and product reviews and so much more are showcased and explored in this quarterly publication. This publication is available for free and is licensed Creative Commons CC-AT-SA 2.5."

    http://gimpmagazine.org/