Adobe flash player's certificate revoked?

[Lu Wei]

I just noticed that the new flash player 11.1's signature is not valid
due to revocation by issuer. And the older version's signature which
used to be valid is not valid too. What's the problem and what should I do?
file's fingerprint is:
md5: 393c3581d828402bde91f76b0623efaf
Certificate's fingerprint is:
sha1: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c


--
Regards,
Lu Wei
PGP key ID: 0x92CCE1EA

[Lu Wei]

On 2012-3-3 5:13, Thee Chicago Wolf [MVP] wrote:
>> I just noticed that the new flash player 11.1's signature is not valid
>> due to revocation by issuer. And the older version's signature which
>> used to be valid is not valid too. What's the problem and what should I do?
>> file's fingerprint is:
>> md5: 393c3581d828402bde91f76b0623efaf
>> Certificate's fingerprint is:
>> sha1: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c
>

> Google Flash 11.2 and try using the 11.2 Release Candidate.
>

I downloaded flash 11.2 and got invalid signature too. This is not I got
the wrong or old files, it is Adobe's certificate has been cancelled--I
wonder does this means Adobe is deemed incredible by Verisign. What
should a normal user react to this situation? Remove all Adobe products?

[Gnus2Me]

On 3/1/2012 6:01 PM, Lu Wei wrote:
> I just noticed that the new flash player 11.1's signature is not valid
> due to revocation by issuer. And the older version's signature which
> used to be valid is not valid too. What's the problem and what should I do?
> file's fingerprint is:
> md5: 393c3581d828402bde91f76b0623efaf
> Certificate's fingerprint is:
> sha1: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c
>
>

More info here:
http://www.pcworld.com/businesscenter/article/249938/mozilla_will_ask_all_certificate_authorities_to_revoke_sslspying_certificates.html

[Christian Riechers]

Can you be a little more specific about which cert you're talking about?
What are you doing when the warning pops up? What site do you access?
Typically a cert is checked when accessing a secure site via SSL.

--
Christian

[Lu Wei]

Sorry, I don't see its relations to my problem.

[Lu Wei]

The cert is the one that file "install_flash_player_32bit.exe" was
signed, with the name "Adobe Systems Incorporated", issued by "VeriSign
Class 3 Code Signing 2010 CA", and with the fingerprint as I pasted
above. What I want to do is install a flash player plugin for Firefox.
Not related to any site or SSL, I normally install|update flash player
"offline".

[Christian Riechers]

Even though the md5 hash of the downloaded installer is different for me
for 11.1, the fingerprint of the Adobe cert is the same. I take it you
downloaded the installer directly from adobe.com, and not from some
obscure download site.
On my Vista laptop Windows says 'This digital signature is OK'. And the
cert looks reasonable.
I do not know how to check the validity of the cert in Windows. How do
you do this? And do you use the CRL as indicated in the cert?
When trying to import the cert into FF, it refuses to do this:
"This certificate can't be verified and will not be imported. The
certificate issuer might be unknown or untrusted, the certificate might
have expired or been revoked, or the certificate might not have been
approved."
So again, I'm wondering what you do to actually verify the cert. I never
looked at the signing cert of the Flash installer before, and apparently
Vista does not complain when running it.

--
Christian

[rebro]

Neither do Win8CP and FF11 beta complain when installing and running
Flash Player 11.1 as I experienced on two machines yesterday.
-rebro

[Lu Wei]

On 2012-3-3 19:01, Christian Riechers wrote:
> On 03/03/2012 11:22 AM, Lu Wei wrote:
>> On 2012-3-3 16:06, Christian Riechers wrote:
>>> On 03/03/2012 07:48 AM, Lu Wei wrote:
>>>> On 2012-3-3 5:13, Thee Chicago Wolf [MVP] wrote:
>>>>>> I just noticed that the new flash player 11.1's signature
>>>>>> is not valid due to revocation by issuer. And the older
>>>>>> version's signature which used to be valid is not valid
>>>>>> too. What's the problem and what should I do? file's
>>>>>> fingerprint is: md5: 393c3581d828402bde91f76b0623efaf
>>>>>> Certificate's fingerprint is: sha1: fd f0 1d d3 f3 7c 66 ac
>>>>>> 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c
>

> Even though the md5 hash of the downloaded installer is different for
> me for 11.1, the fingerprint of the Adobe cert is the same. I take it
> you downloaded the installer directly from adobe.com, and not from
> some obscure download site.

Yes, I downloaded the file from adobe's site:
http://kb2.adobe.com/cps/142/tn_14266.html
The specific link is:
http://fpdownload.macromedia.com/get/flashplayer/installers/archive/fp_11.1.102.62_archive.zip
And the file is extracted from the zip, with the name "flashplayer11_1r102_62_win_32bit.exe".
If download from http://get.adobe.com/flashplayer/ (most people use this), the file name will be "install_flash_player_32bit.exe", but the two files are same.

> On my Vista laptop Windows says 'This digital signature is OK'. And
> the cert looks reasonable. I do not know how to check the validity of
> the cert in Windows. How do you do this? And do you use the CRL as
> indicated in the cert? When trying to import the cert into FF, it
> refuses to do this: "This certificate can't be verified and will not
> be imported. The certificate issuer might be unknown or untrusted,
> the certificate might have expired or been revoked, or the
> certificate might not have been approved." So again, I'm wondering
> what you do to actually verify the cert. I never looked at the
> signing cert of the Flash installer before, and apparently Vista does
> not complain when running it.
>

File's signature is checked from property page, which I assume you know; To check a certificate, in system control panel->internet options (or internet properties, something like that)->contents->certificate, you can check the CA's, personal certificates, untrusted certificates, etc. I uploaded a snapshot to http://imageshack.us/photo/my-images/201/certc.jpg/ . And unfortunately "Adobe Systems Incorporated" is in the untrusted certificates list. I am certain that it's not me who moved it to the blacklist.

[Lu Wei]

On 2012-3-3 22:15, Thee Chicago Wolf (MVP) wrote:
>> On 2012-3-3 16:06, Christian Riechers wrote:
>>> On 03/03/2012 07:48 AM, Lu Wei wrote:
>>>> On 2012-3-3 5:13, Thee Chicago Wolf [MVP] wrote:
>>>>>> I just noticed that the new flash player 11.1's signature is not valid
>>>>>> due to revocation by issuer. And the older version's signature which
>>>>>> used to be valid is not valid too. What's the problem and what should I do?
>>>>>> file's fingerprint is:
>>>>>> md5: 393c3581d828402bde91f76b0623efaf
>>>>>> Certificate's fingerprint is:
>>>>>> sha1: fd f0 1d d3 f3 7c 66 ac 4c 77 9d 92 62 3c 77 81 4a 07 fe 4c
>>>>>
>

> This is almost starting to sound like malware interfering.
I don't think so. I download it from Adobe's site, and if you search
Google with file's md5 393c3581d828402bde91f76b0623efaf, there are lot's
of links claiming it is flash player 11.1.102.62 (Non-IE). The problem
is why Adobe's certificate has been revoked.

[Jeremy Nicoll - ml mozilla support-firefox]

Lu Wei <luwe...@address.invalid> wrote:

> File's signature is checked from property page, which I assume you know;
> To check a certificate, in system control panel->internet options (or
> internet properties, something like that)->contents->certificate, you can
> check the CA's, personal certificates, untrusted certificates, etc. I
> uploaded a snapshot to http://imageshack.us/photo/my-images/201/certc.jpg/
> . And unfortunately "Adobe Systems Incorporated" is in the untrusted
> certificates list. I am certain that it's not me who moved it to the
> blacklist.

I do not understand certificates, but I just looked on my Windows XP system
at the certificates lists. With 'intended purpose' set to 'All', I can't
find any mention of "Adobe Systems Incorporated" (or Adobe anything) in any
of the various tabs, and certainly not in the Untrusted Publishers one.

Ironically the first entry in the Untrusted Publishers list is

issued to: addons.mozilla.org
issued by: UTN-USERFirst-Hardware
friendly name: Fraudulent

(whatever that means). Selecting it and clicking View I got told that it
was revoked by its certificate authority, but it doesn't say when this
happened.

Only once have I ever manually done anything with certificates, and then it
was importing a specific personal one.


I find it puzzling that my certificates list doesn't include anything
Adobe-related. I don't use Adobe Acrobat, but do use AIR and Flash, so
presumably if the Adobe certificate is certifying their own website one
would expect to have it. Why do you, but not me?


Next I looked at the installers I have for Flash

20120219 1658 V11-1-102-62 XP-IE install_flashplayer11x32ax_mssd_aih.exe
20120219 1657 V11-1-102-62 FF install_flashplayer11x32_mssd_aih.exe

(these are the names I stored the files under here, being the data and
time I fetched them, version info, target browser, and filename as
set by Adobe.)

Both of these files say under Properties that they're signed ok... by Adobe
Systems Incorporated. The Certification Path shows

VeriSign

VeriSign Class 3 Code Signing 2010 CA

Adobe Systems Incorporated

and interestingly(?) if I click on either of the first two, the button 'View
Certificate' is offered, but if I click on the Adobe line, it's greyed out.
So do I have an Adobe Systems Incorporated certificate here, or not? Maybe I
don't - maybe this is telling me that Adobe had the certificate and signed
the file, but VeriSign are guaranteeing that... and I do have a copy of the
VeriSign certificate. Or something.


I do know though that periodic Microsoft Windows Updates do things with root
certificates - is it possible that you've not applied one of these fixes?


If you were to export and then delete the untrusted certificate, I wonder if
what's left would then appear to certify the file ok?


You might be better asking about this on a forum where people gather to talk
about security issues, eg: http://www.wilderssecurity.com/index.php

--
Jeremy Nicoll - my opinions are my own.

[Christian Riechers]

I looked at the cert store on my Vista laptop and I do not have the
Adobe cert listed as untrusted.
I have no idea how the Adobe cert got marked as untrusted for you. Maybe
there is a relation to the DigiNotar breach from last year.
http://news.cnet.com/8301-1009_3-20105680-83/microsoft-issue-fixes-blacklists-more-diginotar-certificates/
Meanwhile I'd say it's safe to install Flash Player.
I'd still be curious how you got to look at the Windows cert store. Do
you get a warning when running the Flash installer?

--
Christian

[Lu Wei]

On 2012-3-4 20:13, Christian Riechers wrote:
>> File's signature is checked from property page, which I assume you
>> know; To check a certificate, in system control panel->internet options
>> (or internet properties, something like that)->contents->certificate,
>> you can check the CA's, personal certificates, untrusted certificates,
>> etc. I uploaded a snapshot to
>> http://imageshack.us/photo/my-images/201/certc.jpg/ . And unfortunately
>> "Adobe Systems Incorporated" is in the untrusted certificates list. I am
>> certain that it's not me who moved it to the blacklist.
>
> I looked at the cert store on my Vista laptop and I do not have the
> Adobe cert listed as untrusted.
> I have no idea how the Adobe cert got marked as untrusted for you. Maybe
> there is a relation to the DigiNotar breach from last year.
> http://news.cnet.com/8301-1009_3-20105680-83/microsoft-issue-fixes-blacklists-more-diginotar-certificates/

Should not be; Adobe's cert is issued by Verisign.

> Meanwhile I'd say it's safe to install Flash Player.
> I'd still be curious how you got to look at the Windows cert store. Do
> you get a warning when running the Flash installer?

No--Normally if I see a executable file with a invalid signature, I will
not run it.

[Lu Wei]

On 2012-3-4 20:01, Jeremy Nicoll - ml mozilla support-firefox wrote:
> Lu Wei <luwe...@address.invalid> wrote:
>
>> File's signature is checked from property page, which I assume you know;
>> To check a certificate, in system control panel->internet options (or
>> internet properties, something like that)->contents->certificate, you can
>> check the CA's, personal certificates, untrusted certificates, etc. I
>> uploaded a snapshot to http://imageshack.us/photo/my-images/201/certc.jpg/
>> . And unfortunately "Adobe Systems Incorporated" is in the untrusted
>> certificates list. I am certain that it's not me who moved it to the
>> blacklist.
>
> I do not understand certificates, but I just looked on my Windows XP system
> at the certificates lists. With 'intended purpose' set to 'All', I can't
> find any mention of "Adobe Systems Incorporated" (or Adobe anything) in any
> of the various tabs, and certainly not in the Untrusted Publishers one.
>
> Ironically the first entry in the Untrusted Publishers list is
>
> issued to: addons.mozilla.org
> issued by: UTN-USERFirst-Hardware
> friendly name: Fraudulent
>
> (whatever that means). Selecting it and clicking View I got told that it
> was revoked by its certificate authority, but it doesn't say when this
> happened.

That cert, as it's noted, should be a fraudulent cert issued by some
hackers and later have been revoked by the issuer to avoid damage.

>
> Only once have I ever manually done anything with certificates, and then it
> was importing a specific personal one.
>
>
> I find it puzzling that my certificates list doesn't include anything
> Adobe-related. I don't use Adobe Acrobat, but do use AIR and Flash, so
> presumably if the Adobe certificate is certifying their own website one
> would expect to have it. Why do you, but not me?

Don't know; I wonder too.

>
> Next I looked at the installers I have for Flash
>
> 20120219 1658 V11-1-102-62 XP-IE install_flashplayer11x32ax_mssd_aih.exe
> 20120219 1657 V11-1-102-62 FF install_flashplayer11x32_mssd_aih.exe
>
> (these are the names I stored the files under here, being the data and
> time I fetched them, version info, target browser, and filename as
> set by Adobe.)
>
> Both of these files say under Properties that they're signed ok... by Adobe
> Systems Incorporated. The Certification Path shows
>
> VeriSign
> VeriSign Class 3 Code Signing 2010 CA
> Adobe Systems Incorporated
>
> and interestingly(?) if I click on either of the first two, the button 'View
> Certificate' is offered, but if I click on the Adobe line, it's greyed out.
> So do I have an Adobe Systems Incorporated certificate here, or not? Maybe I
> don't - maybe this is telling me that Adobe had the certificate and signed
> the file, but VeriSign are guaranteeing that... and I do have a copy of the
> VeriSign certificate. Or something.

It's greyed out because you are viewing it. Yes, you have the Adobe
Systems Incorporated certificate, bundled in the flash installer,
indicating it is issued by Verisign, and you do have Verisign's cert in
your system, and the signature check passed, since Adobe's cert is not
revoked in your system.

>
>
> I do know though that periodic Microsoft Windows Updates do things with root
> certificates - is it possible that you've not applied one of these fixes?

I think, on the contrary, it is possible that you've not applied the
most recent fixes--for a fix should revoke fraudulent certs, not
re-enable a revoked certs, that's unreasonable. My windows update is
opened to "automatically update".

>
>
> If you were to export and then delete the untrusted certificate, I wonder if
> what's left would then appear to certify the file ok?

I thought so; but it should not be a good practice.

>
>
> You might be better asking about this on a forum where people gather to talk
> about security issues, eg: http://www.wilderssecurity.com/index.php
>

Thanks. I may try.

[Lu Wei]

On 2012-3-4 23:04, Thee Chicago Wolf (MVP) wrote:

>>> This is almost starting to sound like malware interfering.
>> I don't think so. I download it from Adobe's site, and if you search
>> Google with file's md5 393c3581d828402bde91f76b0623efaf, there are lot's
>> of links claiming it is flash player 11.1.102.62 (Non-IE). The problem
>> is why Adobe's certificate has been revoked.
>

> No I am saying YOU have malware on YOUR machine or something else is
> screwed up. If it were not the case, we would all be seeing this
> error.
It seems the only possible explanation. As a careful user I can hardly
imagine what malware could I have executed, and what's the reason to
blacklist adobe's cert. Anyway, remove the cert from untrusted area
could be a quick workaround, though it makes me uncomfortable without
knowing the reason.

[Lu Wei]

On 2012-3-5 23:37, Thee Chicago Wolf [MVP] wrote:
> These days the A/V vendors just cannot keep up with these click
> malwares. The malware get mutated at a rated of over a 1000 a day and
> each one is unique. That is scary stuff. I think it's safe to do what
> you did. I did not see anything in my CERT store either which leads me
> to suspect that you could have gotten a Flash-based malware or hidden
> rootkit that inject that CERT to scare you into believing any updated
> Flash product (which would plug the security hole) would be a threat.
> If *i* were writing malware, that's surely how I would do it.
>
RootkitRevealer doesn't reveal anything, seems I have to ignore it.
Thank you.

[sreera...@gmail.com]