Adobe investigated what appears to be the inappropriate use of an Adobe code signing certificate for Windows. We revoked the impacted certificate on October 4, 2012 for all software code signed after July 10, 2012.

Q: Why did Adobe revoke the certificate?

A: To maintain trust in genuine Adobe software, we revoked the impacted certificate on October 4, 2012 for all software code signed after July 10, 2012. We are in the process of issuing updates signed using a new digital certificate for all affected products.

Code signing explained

Q: What is a code signing certificate?

A: Code signing certificates are used to digitally sign software programs. Many software developers, including Adobe, digitally sign the programs they create in order to assure customers that the programs are legitimate and have not been modified.

Q: How does code signing work?

A: Digital signatures use public key cryptography technology to secure and authenticate code.

1. A developer adds a digital signature to code or content using a unique private key from a code signing certificate.
2. When a user downloads or encounters signed code, the user’s system software or application uses a public key to decrypt the signature.
3. The system looks for a “root” certificate with an identity it trusts or recognizes to authenticate the signature.
4. The system then compares the hash used to sign the application against the hash on the downloaded application.
5. If the system trusts the root and the hashes match, the download or execution continues.
6. If the system does not trust the root or the hashes do not match, the system interrupts the download with a warning or the download fails.

Q: Could a code signing certificate be used for purposes other than code signing?

A: No. All digital certificates carry a marking that restricts what they can be used for. This particular certificate can only be used to digitally sign programs. They cannot be used to encrypt data, sign documents or emails, or do anything else besides signing programs.

Customer impact: Security

Q: Was the certificate revoked as a result of a security vulnerability or defect in an Adobe product?

A: No. This issue has no impact on the security of your genuine Adobe software.

Q: Are there other security risks to users?

A: We have strong reason to believe that this issue does not present a general security risk. The evidence we have seen has been limited to a single isolated discovery of two malicious utilities signed using the certificate and indicates that the certificate was not used to sign widespread malware.

Q: If my software is not vulnerable because of this issue, why do I need to update?

A: Adobe is issuing updates for all impacted products to provide customers with software code signed using a new digital certificate. To determine whether an update signed using a new digital certificate is available for your Adobe software installation, see Security certificate updates.

Customer impact: Revocation

Q: Does the revocation of the certificate affect Adobe software on all platforms?

A: No. The revocation of the certificate affects the Windows platform and three Adobe AIR applications* that run on both Windows and Mac OS. The revocation does not impact any other Adobe software for Mac OS or other platforms.

* Adobe Muse and Adobe Story AIR applications as well as Acrobat.com desktop services

Q: Does the revocation of the impacted certificate have any bearing on third-party Adobe AIR apps?

A: No. The revocation of the certificate affects only AIR apps developed by Adobe and signed using the impacted Adobe code signing certificate. Adobe is in the process of issuing updates for those apps signed with a new Adobe code signing certificate.

Q: What will the user experience be for customers with installations of genuine Adobe software signed using the impacted certificate after it is revoked?

A: Customers should not notice anything out of the ordinary during the certificate revocation process. A few customers, in particular administrators in managed Windows environments, may need to take certain action. To determine whether you or your organization are impacted, see Security certificate updates.

Q: If Adobe software is not vulnerable and customers should not notice anything out of the ordinary during the revocation process, why do I need to update my Adobe software?

A: Adobe is issuing updates for all impacted products to provide customers with software code signed using a new digital certificate. To determine whether an update signed using a new digital certificate is available for your Adobe software installation, see Security certificate updates.