Hackers have breached Adobe's code-signing system allowing them to spread their malware under the guise of official Adobe software.

Adobe security chief Brad Arkin
Adobe security chief Brad Arkin says the attack on one of its servers was carried out by "sophisticated threat actors." Reuters

Adobe has said that at least two malicious utility programs were signed with valid Adobe certificates. Although only two files were signed using the certificate, this breach signals a raising of the stakes in the world of Advanced Persistent Threats (APTs).

Adobe has said that code signed since 10 July, 2012 will be affected, meaning that the attackers had access to Adobe's infrastructure for more than two months.

In a blog post on the breach, Adobe said it will revoke the impacted certificates for all code signed after 10 July, but not until next week, 4 October. The certificate revocation will be included in the certificate revocation list (CRL) published by VeriSign and no end user or administrator action is required to receive the updated CRL.

Brad Arkin, Adobe's security chief, didn't give many details about the nature of the security breach: "We have identified a compromised build server with access to the Adobe code signing infrastructure. We are proceeding with plans to revoke the certificate and publish updates for existing Adobe software signed using the impacted certificate."

He went on to say that the breach "only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh. The revocation does not impact any other Adobe software for Macintosh or other platforms."

The three applications affected are Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services.

Build server

Arkin wrote that the compromised build server had access to source code for only one Adobe product. The company did not reveal the name of the product but said it was not Flash Player, Adobe Reader, Shockwave Player or Adobe AIR.

Arkin said investigators found no evidence the attackers had changed source code and "there is no evidence to date that any source code was stolen."

The attackers were "sophisticated threat actors" according to Arkin, saying they woudl use the signed software during highly targeted attacks for "privilege escalation and lateral movement" once they have gained access to a network.

Arking added that because of this modus operandi, "the vast majority of users are not at risk" as the attackers would carry out very targeted, rather than broad, attacks.

Trust

Digital certificates are a vital part of the trust which exists between software makers and the end users. These certificates are used to digitally sign the software so the users' system knows it can trust the software.

The Adobe breach is the latest in a series of attacks on the digital certificate system. Stuxnet, a computer worm designed to disrupt Iran's nuclear enrichment facility at Natanz, used stolen digital certificates to trick the facility's computer systems.

Earlier this year, it emerged that high level cryptography was used to replicate Microsoft's Windows Root certificates to aid the spread of the Flame virus, which targeted computer systems in the Middle East.

Both Stuxnet and Flame are products of collaboration between the US and Israeli governments, though both sides officially deny involvement in their creation.