lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 28 Sep 2012 01:27:26 +0000
From: Ray P <sixsigma98@...mail.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: Adobe certificate server hacked - code-signing
 certs getting revoked on Oct .4th


http://helpx.adobe.com/x-productkb/global/certificate-updates.html

The
 Adobe guidance says you don't have to do anything if you use Flash and 
Reader. But if you manage Flash and Reader (and other products) in an 
enterprise, you do.

Wait, what?

It sounds like they are 
obliquely assuming that everyone is letting Adobe products auto-update 
so they will get a re-signed version automatically. But if you don't 
allow auto-updates, you've got a week to replace everything. The 
question is whether you'll just get a certificate warning if trying to 
install or if you'll get a certificate warning when you run the affected
 applications. If the latter, there are going to be a lot of upset 
people, if it's even possible to be more upset with Adobe, that is. :-)

I'm
 betting we now know what that stealth Flash update was last week, the 
one that showed up by auto-update and had no release notes.

My favorite from the FAQ:

Q: If Adobe software is not vulnerable and customers should not notice anything out of the ordinary during the revocation process, why do I need to update my Adobe software?

A: Adobe is issuing updates for all impacted products to provide customers with software code signed using a new digital certificate. To determine whether an update signed using a new digital certificate is available for your Adobe software installation, please refer to Security certificate updates.

Ummmm, Mr. Adobe, how did your response answer the question you asked yourself? 		 	   		  
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ