HP has announced to its customers that it will soon revoke a specific private digital certificate that they used to sign some software components that ship with some of its older products, because the certificate has also been used to sign malicious software.
The mistake has been discovered by Symantec, whose researchers have discovered a Trojan that has been signed with the certificate in question. The malware dates back at least 4 years (May 2010).
HP’s Global Chief Information Security Officer Brett Wahlin shared with Brian Krebs that the company’s code signing infrastructure wasn’t compromised – ever.
According to the researcher, the problem started with a malware infection on an HP developer’s computer.
“HP investigators believe the trojan on the developer’s PC renamed itself to mimic one of the file names the company typically uses in its software testing, and that the malicious file was inadvertently included in a software package that was later signed with the company’s digital certificate,” Krebs noted. “The company believes the malware got off of HP’s internal network because it contained a mechanism designed to transfer a copy of the file back to its point of origin.”
Wahlin says that the software package in question never made it into shipped software, and the certificate has expired years ago.
But, unfortunately, other HP software was signed with it and now the company plans to re-sign this software with a new certificate – a move that, they admit, could create problems for companies that use HP computers with built-in recovery partitions.
The certificate will be revoked by Verisign on October 21, and HP is trying to find a good solution for the aforementioned problem