[Full-disclosure] Adobe certificate server hacked - code-signing certs getting revoked on Oct .4th

[Ray P <sixsigma98@xxxxxxxxxxx>]

http://helpx.adobe.com/x-productkb/global/certificate-updates.html

The
 Adobe guidance says you don't have to do anything if you use Flash and 
Reader. But if you manage Flash and Reader (and other products) in an 
enterprise, you do.

Wait, what?

It sounds like they are 
obliquely assuming that everyone is letting Adobe products auto-update 
so they will get a re-signed version automatically. But if you don't 
allow auto-updates, you've got a week to replace everything. The 
question is whether you'll just get a certificate warning if trying to 
install or if you'll get a certificate warning when you run the affected
 applications. If the latter, there are going to be a lot of upset 
people, if it's even possible to be more upset with Adobe, that is. :-)

I'm
 betting we now know what that stealth Flash update was last week, the 
one that showed up by auto-update and had no release notes.

My favorite from the FAQ:

Q: If Adobe software is not vulnerable and customers should not notice anything 
out of the ordinary during the revocation process, why do I need to update my 
Adobe software?

A: Adobe is issuing updates for all impacted products to provide customers with 
software code signed using a new digital certificate. To determine whether an 
update signed using a new digital certificate is available for your Adobe 
software installation, please refer to Security certificate updates.

Ummmm, Mr. Adobe, how did your response answer the question you asked yourself? 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/