Adobe has suffered its second targeted attack in a year, investigating the illegal access of source code for Adobe Acrobat, ColdFusion, ColdFusion Builder and other Adobe products by an unauthorised third party.
After a discovery by security blogger Brian Krebs of 40GB of source code, which appeared to be uncompiled and complied code for ColdFusion and Adobe Acrobat, Adobe confirmed that it has been working on an investigation into a potentially broad-ranging breach into its networks since 17th September.
Adobe said it believed that the attack took place in mid-August and credit card and other data on approximately 2.9 million customers was taken, as well as an as-yet-undetermined number of user names and passwords that customers use to access various parts of the Adobe customer network.
Adobe issued a statement saying that it was “not aware of any zero-day exploits targeting any Adobe products” but recommended users run only supported versions of the software, apply all available security updates, and follow the advice in the Acrobat Enterprise Toolkit and the ColdFusion Lockdown Guide. “These steps are intended to help mitigate attacks targeting older, unpatched, or improperly configured deployments of Adobe products,” it said.
Adobe’s chief security officer Brad Arkin thanked Krebs for helping “steer our investigation in a new direction” and said the company has undertaken a rigorous review of the ColdFusion code shipped since the code archive was compromised, and that it is confident that the source code for ColdFusion code that shipped following the incident “maintained its integrity”.
In a statement on the Adobe website, Arkin said that its security team discovered sophisticated attacks on our network, involving the illegal access of customer information as well as source code for numerous Adobe products, and it deeply regretted that this incident occurred.
As a precaution, it is resetting all relevant customer passwords to help prevent unauthorised access to Adobe ID accounts, and notifying customers whose credit or debit card information it believed to be involved in the incident.
“We value the trust of our customers. We will work aggressively to prevent these types of events from occurring in the future. Again, we deeply regret any inconvenience this may cause you,” Arkin said.
In September 2012, Adobe announced that it was the victim of a targeted attack that accessed an internal server and affected its digital certificate code signing infrastructure. It became aware of the attack after it received two malicious utilities that appeared to be digitally signed using a valid Adobe code signing certificate. This led it decommission the existing Adobe code signing infrastructure and revoke all software code signed after 10th July 2012