I was impressed by the detail and level of disclosure in this post. Very little PR speak, very little vagueness and handwaving - Adobe acknowledged the severity and demonstrated how important they viewed their response.<p>I have to give a nod of admiration for the professionalism of their handling of such a situation.
I wonder how many sub $100million non-security-focussed companies<p><pre><code> A) Properly use an HSM at the root of their PKI. (Following
all the procedures for sharding their XofY control of the device)
B) Have " corporate standards for a build server"
C) Routinely audit their build servers to ensure they adhere
to those corporate standards.
</code></pre>
At least the HSM limited the damage to the compromised servers and, of course, all the code that got signed in the interim.
Having just looked at adobe 'cracks' recently for CS5 and CS6
I wonder why these entries (destined for the HOSTS file)
127.0.0.1 crl.verisign.net
127.0.0.1 tss-geotrust-crl.thawte.com
Are there...
The cracks work by replacing a DLL but also by blocking connections to all the servers it thinks are activation servers (key validation)
I tested removing these CRL entries and the software had no issues. Just speculating wildly but maybe this was a planned attack a long time coming (given that these entries have existed since CS5)