"None of Symantec's code-signing certificates were at risk," Symantec said Thursday in an emailed statement. "This was not a compromise of Symantec's code-signing certificates, network or infrastructure."

Adobe decommissioned its code-signing infrastructure and replaced it with an interim signing service that requires files to be manually checked before being signed, Arkin said. "We are in the process of designing and deploying a new, permanent signing solution."

It's hard to determine the implications of this incident, because we can't be sure that only the shared samples were signed without authorization Botezatu said. "If the password dumper application and the open-source SSL library are relatively innocuous, the rogue ISAPI filter can be used for man-in-the-middle attacks - typical attacks that manipulate the traffic from the user to the server and vice-versa, among others," he said.