The configuration of the build server was not up to Adobe's corporate standards for a server of this nature, Arkin said. "We are investigating why our code-signing access provisioning process in this case failed to identify these deficiencies."
The misused code-signing certificate was issued by VeriSign on Dec. 14, 2010, and is scheduled to be revoked at Adobe's request on Oct. 4. This operation will impact Adobe software products that were signed after July 10, 2012.
"This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh," Arkin said.
Adobe published a help page that lists the affected products and contains links to updated versions signed with a new certificate.
Symantec, which now owns and operates the VeriSign certificate authority, stressed that the misused code-signing certificate was entirely under Adobe's control.
"None of Symantec's code-signing certificates were at risk," Symantec said Thursday in an emailed statement. "This was not a compromise of Symantec's code-signing certificates, network or infrastructure."
Adobe decommissioned its code-signing infrastructure and replaced it with an interim signing service that requires files to be manually checked before being signed, Arkin said. "We are in the process of designing and deploying a new, permanent signing solution."
It's hard to determine the implications of this incident, because we can't be sure that only the shared samples were signed without authorization Botezatu said. "If the password dumper application and the open-source SSL library are relatively innocuous, the rogue ISAPI filter can be used for man-in-the-middle attacks - typical attacks that manipulate the traffic from the user to the server and vice-versa, among others," he said.
Sign up for Computerworld eNewsletters.