Skip to main content
banner image
venafi logo

The Lasting Impact of Code Signing Certificates Gone Wrong

The Lasting Impact of Code Signing Certificates Gone Wrong

code signing certificates
November 7, 2016 | Scott Carter

IBM recently identified two code signing certificates that were being used to sign malware. IBM acted immediately to revoke these certificates and notify customers. But according to an IBM blog, those revoked certificates may now cause some products to “fail to run or warn the user that the certificates used to sign the products are no longer valid.”

The IBM incident reminds us that we are much more accustomed to business disruptions caused by expired or compromised certificates. So it’s interesting to note that remediating compromised code-signing certificates can also impact organizations. But the bottom line is that maintaining constant vigilance and control of your entire inventory of keys and certificates will preserve both reliability and availability.

But let’s step back a bit and think about how code-signing certificates can be compromised in the first place. According to Walter Goulet, product manager at Venafi, there are two possible scenarios that would explain the compromise at IBM. Both point to the need to control privileged access.

Goulet posits, “Malware signing could mean that the private key associated with the code signing certificates was exfiltrated from IBM's environment by a malicious attacker and used elsewhere. Or it could mean that an internal system in IBM that is responsible for code signing was compromised in such a fashion that an attacker was able to use it to sign the malware.”

Either way, these types of incidents highlight the need to ensure that private key material is properly tracked and controlled. Code signing certificates are among some of the most powerful certificates because of the high levels of trust that they imply. Goulet explains, “Applications and operating systems usually assume a certain level of vetting and due diligence has been performed by application authors prior to signing applications.

Compromise and misuse of code signing certificates is a powerful tool for adversaries who are able to get malware and other malicious code to execute successfully in otherwise well protected environments. IBM hopes that this is not the case in the recent PSIRIT scare, “To IBM’s knowledge, this malware has not been distributed with any IBM software.”

But in the future, organizations may not be as lucky. We should all take these lessons to heart. Do you know where your private keys are, who can access them, and how they are being used?


Like this blog? We think you will love this.
Featured Blog

What Is the Difference Between a Public Key and a Private Key?

Symmetric and asymmetric encryption

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

Subscribe Now

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more