Hewlett-Packard (HP) will quietly revoke a security certificate after discovering it was used to sign off malicious software four years ago, according to security reporter Brian Krebs.
HP was said to be alerted to the problem by security firm Symantec, after a 4-year-old trojan posing as an HP file was accidentally signed with the company’s digital certificate, later making its way outside the firm’s network.
Brett Wahlin, chief information security officer at HP, told Krebs on Security: "When people hear this, many will automatically assume we had some sort of compromise within our code signing infrastructure, and that is not the case.
"We can show that we’ve never had a breach on our [certificate authority] and that our code-signing infrastructure is 100% intact."
He added that the compromised software was never shipped to any customer, and none of the firm’s private certificates were stolen.
However revoking the certificate may cause support issues for some HP customers, meaning the company must sign software again that is currently in use.
There is also a concern over what will happen if a customer tries to restore a system through a recovery partition.
"Our PC group is working through trying to create solutions to help customers if that actually becomes a real-world scenario," Wahlin said. "But in the end that’s something we can’t test in a lab environment until that certificate is officially revoked by Verisign on October 21."
More details can be found on Krebs’ site.
