A developer’s infected PC then saw software signed off containing malware.
Ars Technica reported on the mistaken signing off of software on an HP developer’s PC, which was infected with a Trojan horse malware virus, meaning that the “hardware drivers and other software essential to running […] older HP computers” had been given a digital certificate that had signed off on the malware.
The OEM stated that the certificate itself “wasn’t compromised”, but that the malware was “accidentally […] digitally signed” as part of a separate software package, sending a “signed copy of itself back to its point of origin. It added that the Trojan virus “was never shipped to HP customers as part of the software package”, with the virus said to be four years old.
Antivirus company Symantec had alerted HP on discovering the signed malware, which has “since been distributed over the internet while bearing HP’s certificate”, meaning that HP will now have to reissue a “large number of software packages with a new digital signature” – a move that will not “affect systems with the software already installed”, but which will alert users if they attempt “to reinstall software from original media”.
HP added that “regardless of the cause” this will need to be undertaken, and that the “full impact” of revoking the certificate “won’t be known” until after it has been revoked on 21 October. HP’s Global Chief Information Security Officer, Brett Wahlin, told the site that “when people hear this, many will automatically assume we had some sort of compromise within our code signing infrastructure, and that is not the case.
“We can show that we’ve never had a breach on our [certificate authority] and that our code-signing infrastructure is 100 percent intact”.