Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,296
30,382



sec_update_2011-005.png



Apple today released Security Update 2011-005 for OS X, a small update addressing a specific security issue related to fraudulent certificates from DigiNotar.
Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.
DigiNotar's servers were compromised several weeks ago, with hackers obtaining access to hundreds of certificates. Apple has been criticized for being slow to respond to the issue, but is now doing so today by revoking DigiNotar's status as a trusted source.
DigiNotar, one of hundreds of firms authorized to issue digital certificates that authenticate a website's identity, admitted on Aug. 30 that its servers were compromised weeks earlier. A report made public Monday said that hackers had acquired 531 certificates, including many used by the Dutch government, and that DigiNotar was unaware of the intrusion for weeks.
Available updates include:

- Security Update 2011-005 (Lion) (15.59 MB)
- Security Update 2011-005 (Snow Leopard) (869 KB)


Article Link: Apple Releases Security Update 2011-005 for OS X to Address Compromised Certificates
 
Last edited by a moderator:

applefan289

macrumors 68000
Aug 20, 2010
1,705
8
USA
Yeah, mine took no time to download and I'm on a 27" iMac running Lion...so it must have only been a few kilobytes for me.
 

iekozz

macrumors member
Nov 9, 2009
36
21
Amsterdam
Little note: If you're using Chrome or Firefox on OS X, you where already protected. But it's nice that Apple has finally released a security update for OS X.
 

MJedi

macrumors 6502a
Dec 16, 2010
878
352
Do the compromised certificates only exist on Snow Leopard and Lion? :confused:

What about Leopard?
 

KnightWRX

macrumors Pentium
Jan 28, 2009
15,046
4
Quebec, Canada
Something this serious should see updates to Leopard and Tiger as well since some in-service computers require older OS's.

Like stated previously, don't use Safari, use Chrome or Firefox on an older computer while they are still supported.

Commercial vendors are quicker to end of life software than the open source community, it's just the way of the world unfortunately.

It took them long enough, everyone else already had it covered.

So, I think it is still a valid rant.

Seeing how the article is a day old and this patch comes along, seems to me they were late rather than "not on top of things".

They didn't start working on this yesterday, maybe they caught something in Q&A that delayed things a bit. It's just the reality of software development.
 

stanton

macrumors member
Jan 19, 2008
81
1
Philly
Nice to see Apple was on top of things and that some people were ranting over nothing.

I wouldn't say they were ranting for nothing especially if you live in Iran, where most of the poisoned DNS servers were located. They had control of every .com, .org, and allot of individual certificates for google.com, facebook.com, etc... Everyone in that country now should change every username/password just to make sure that they didn't accidentally give thier bank info to a 3rd party.

For the complete list you can read the IT analysis at: http://www.rijksoverheid.nl/bestand...rapport-fox-it-operation-black-tulip-v1-0.pdf
 
Last edited:

Custommm

macrumors member
May 31, 2009
91
0
It's about time!

Why Apple taking so much time addressing those issue.... You guys a lagging big time! Still love you soooo much :). But switch gear regarding security update!!!!
 

mysticalos

macrumors member
May 8, 2007
50
32
this update appears to be in 10.7.2 already that was seeded a week ago, so that means apple has had fix ready for at least 7 days, so if they delayed it for 10.7.1 they probably had a reason.
 

AppliedMicro

macrumors 68020
Aug 17, 2008
2,171
2,442
They didn't start working on this yesterday, maybe they caught something in Q&A that delayed things a bit.
Removing compromised root certificates isn't rocket science.

There is simply no excuse for Apple taking almost two weeks longer than Microsoft to release this update - with Microsoft having to cover way more OS releases and update/service pack configurations than Apple.
 

goosnarrggh

macrumors 68000
May 16, 2006
1,602
20
Like stated previously, don't use Safari, use Chrome or Firefox on an older computer while they are still supported.
If you're still using Tiger or Leopard, odds are you're doing so because your hardware cannot support Snow Leopard or Lion. (There are always exceptions, and for these, I apologize for the generalization.)

These people must be running PPC-based Macs, and therefore cannot run any of the official releases of Chrome at all. (I'm not sure if anybody's unofficially compiled open source Chromium for PPC Mac OS X.)

However, official builds of Firefox 3.6.x runs on all Macs, including PPC models, going all the way back to Tiger. And there's already a Firefox 3.6.x patch to fix this problem.

And there are 3rd party builds based upon Firefox, not under Mozilla's direct control, using the same codebase as Firefox 4/5/6/7, which are compatible with all G3, G4, and G5 Macs running Tiger and Leopard with at least 512 MB of RAM. I know of at least one which released a 6.0.1 patch containing this fix.

(By the way: I certainly hope that all PPC Mac users out there have uninstalled their Flash players by now. It is now a dangerous source of open security flaws which Adobe has NO plans to EVER fix.)

----------

I've disabled that certificate and many useless ones weeks ago. Even linux was updated first.

Apparently, there's an unexpected behaviour in OS X: Even after you've used the Keychain manager to manually revoke a certificate authority, if Safari encounters a so-called "Extended Validation" certificate, it will ignore the fact that you've revoked the CA and silently accept the certificate anyway.

Presumably, this fix for Snow Leopard and Lion gets around this quirk.
 

blackburn

macrumors 6502a
Feb 16, 2010
974
0
Where Judas lost it's boots.
Apparently, there's an unexpected behaviour in OS X: Even if you've manually revoked a certificate authority, if Safari encounters a so-called "Extended Validation" certificate, it will ignore the fact that you've revoked the CA and silently accept the certificate anyway.

Presumably, this fix for Snow Leopard and Lion gets around this quirk.

Yay for not using safari:D
 

MacNut

macrumors Core
Jan 4, 2002
22,995
9,971
CT
I stopped using Safari and switched to Chrome, a much better browser IMO.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.