HP accidentally signed malware, will revoke certificate

Anonymous Coward

in security on 2014-10-12 16:46 (#2T7T)

Hewlett-Packard has alerted some customers that it will be revoking a digital certificate used to sign a huge swath of software-including hardware drivers and other software essential to running on older HP computers. The certificate is being revoked because the company learned it had been used to digitally sign malware that had infected a developer's PC.

Wahlin said that it appears the malware, which had infected an HP employee's computer, accidentally got digitally signed as part of a separate software package-and then sent a signed copy of itself back to its point of origin. Though the malware has since been distributed over the Internet while bearing HP's certificate, Wahlin noted that the Trojan was never shipped to HP customers as part of the software package.

"When people hear this, many will automatically assume we had some sort of compromise within our code signing infrastructure, and that is not the case," Wahlin told Krebs. "We can show that we've never had a breach on our [certificate authority] and that our code-signing infrastructure is 100 percent intact."

No breach? (Score: 1)

by powysbiker@pipedot.org on 2014-10-13 13:30 (#2T82)

Whether their CA has been breached or not is irrelevant, they clearly did not have procedures in place to protect the integrity of the signature. If a PC is used by someone responsible for signing code surely there should be procedures in place to make sure that that PC is not subverted?

bugs in my bed (Score: 0)

by Anonymous Coward on 2014-10-13 14:33 (#2T83)

"Hewlett-Packard has alerted some customers that it will be revoking a digital certificate used to sign a huge swath of software"

Nice try, NS4.