HP accidentally signed some malware, according to Krebs on Security.
Krebs reports that the certificate was “used to cryptographically sign software components that ship with many of its older products”, mostly for PC software, but that back in 2010 it was also used to sign some malware.
HP will therefore revoke the certificate, which means a bit of extra work for those using the HP software that relies on it and maybe a few discomforting moments when folks try to use recovery partitions on HP PCs equipped with rollback facilities.
The soon-to-be-devolved company's chief security officer Brett Wahlin told Krebs that the company's code-signing regimes remain sound and have never been compromised. The SNAFU seems to have come about after malware copied the name of a piece of HP software and was therefore accidentally bundled into a package that HP uses internally, but which doesn't ever reach PCs the company sells. The malware is set to phone home, which is what led to its detection.
Verisign will revoke the certificate on October 21st. ®