Identity theft isn't just a human problem anymore.
In an intriguing case of malware impersonating software, a trusted security ID from Adobe backfired when two malware programs were found to be "signed" with a valid Adobe authentication certificate, enabling harmful code to infiltrate systems by posing as a software update.
Last week, the software giant, which makes Photoshop, Dreamweaver, Flash and Reader, among other titles, admitted it had fallen prey to hackers who managed to attack a build server and steal authentication certificates used to verify software updates.
Encrypted certificates, present in virtually all major-manufacturer software, usually do a good job of helping users distinguish between a legitimate update and malware masquerading as such, but in this case, they're rendered useless.
Adobe said at least two malicious programs from the same source contained their signatures, and cautioned that there could be more out there.
In a statement on the company website, Brad Arkin, engineering senior director, said Adobe had taken steps to mitigate customer risk.
"As soon as we verified the signatures, we immediately decommissioned the existing Adobe code-signing infrastructure," he said.
According to the statement, most users are not at risk.
"This only affects the Adobe software signed with the impacted certificate that runs on the Windows platform and three Adobe AIR applications that run on both Windows and Macintosh," the statement said.
However, there's one caveat. No one can say for certain how far the intruders got into Adobe's internal network, or how many certificates were compromised. Adobe has identified only stolen certificate, but who's to say the hackers don't have several more, ready to be used as soon as this one gets revoked?
Arkin pointed out that no other Adobe intellectual property was vandalized or stolen, a fact noted by Dennis Fisher, editor of Kaspersky's Threatpost security blog.
"What's most interesting is what the attackers went after once they were on the network," Fisher wrote. "They weren't so much interested in Adobe's corporate assets or source code, but rather the company's reputation."
Although Adobe has identified and disclosed the security breach, users remain at risk.
The San Jose-based developer said it will revoke the compromised certificate Thursday (Oct. 4) at 4:15 p.m. EST.
Until then, it will be impossible to tell if an update that claims to come from Adobe actually does. Denying Adobe's updates is the only way to protect your computer from this threat.
With such uncertainty looming, Adobe's safest course of action may be to rebuild all its certificates from the ground up.
Follow Ben on Twitter.