Skip to main content
banner image
venafi logo

The Lasting Impact of Code-Signing Certificates Gone Wrong

The Lasting Impact of Code-Signing Certificates Gone Wrong

November 7, 2016 | Scott Carter

IBM recently identified two code signing certificates that were being used to sign malware. IBM acted immediately to revoke these certificates and notify customers. But according to an IBM blog, those revoked certificates may now cause some products to “fail to run or warn the user that the certificates used to sign the products are no longer valid.”

The IBM incident reminds us that we are much more accustomed to business disruptions caused by expired or compromised certificates. So it’s interesting to note that remediating compromised code-signing certificates can also impact organizations. But the bottom line is that maintaining constant vigilance and control of your entire inventory of keys and certificates will preserve both reliability and availability.

But let’s step back a bit and think about how code-signing certificates can be compromised in the first place. According to Walter Goulet, product manager at Venafi, there are two possible scenarios that would explain the compromise at IBM. Both point to the need to control privileged access.

Goulet posits, “Malware signing could mean that the private key associated with the code signing certificates was exfiltrated from IBM's environment by a malicious attacker and used elsewhere. Or it could mean that an internal system in IBM that is responsible for code signing was compromised in such a fashion that an attacker was able to use it to sign the malware.”

Either way, these types of incidents highlight the need to ensure that private key material is properly tracked and controlled. Code signing certificates are among some of the most powerful certificates because of the high levels of trust that they imply. Goulet explains, “Applications and operating systems usually assume a certain level of vetting and due diligence has been performed by application authors prior to signing applications.

Compromise and misuse of code signing certificates is a powerful tool for adversaries who are able to get malware and other malicious code to execute successfully in otherwise well protected environments. IBM hopes that this is not the case in the recent PSIRIT scare, “To IBM’s knowledge, this malware has not been distributed with any IBM software.”

But in the future, organizations may not be as lucky. We should all take these lessons to heart. Do you know where your private keys are, who can access them, and how they are being used?

 

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Déjà Vu at LinkedIn: Second TLS Certificate Expiry in 2 Years

Prepare this presentation and send it to me, once approved you can teach entire team.

Overheard at Machine Identity Protection Global Summit 2019

machine identity protection

Leaders Underscore the Critical Nature of Machine Identity Protection at Inaugural Global Summit

About the author

Scott Carter
Scott Carter

Scott Carter writes for Venafi's blog and is an expert in machine identity protection.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat