Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Sep 9, 2011, 12:19 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Apple Releases Security Update 2011-005 for OS X to Address Compromised Certificates







Apple today released Security Update 2011-005 for OS X, a small update addressing a specific security issue related to fraudulent certificates from DigiNotar.
Quote:
Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.
DigiNotar's servers were compromised several weeks ago, with hackers obtaining access to hundreds of certificates. Apple has been criticized for being slow to respond to the issue, but is now doing so today by revoking DigiNotar's status as a trusted source.
Quote:
DigiNotar, one of hundreds of firms authorized to issue digital certificates that authenticate a website's identity, admitted on Aug. 30 that its servers were compromised weeks earlier. A report made public Monday said that hackers had acquired 531 certificates, including many used by the Dutch government, and that DigiNotar was unaware of the intrusion for weeks.
Available updates include:

- Security Update 2011-005 (Lion) (15.59 MB)
- Security Update 2011-005 (Snow Leopard) (869 KB)


Article Link: Apple Releases Security Update 2011-005 for OS X to Address Compromised Certificates

Last edited by WildCowboy; Sep 9, 2011 at 12:24 PM.
MacRumors is offline   0 Reply With Quote
Old Sep 9, 2011, 12:22 PM   #2
tigres
macrumors 68040
 
tigres's Avatar
 
Join Date: Aug 2007
Location: Land of the Free-Waiting for Term Limits
Why the big file size difference?
__________________
Quicker than two shakes of a lambs tail
tigres is online now   5 Reply With Quote
Old Sep 9, 2011, 12:23 PM   #3
KnightWRX
macrumors Pentium
 
KnightWRX's Avatar
 
Join Date: Jan 2009
Location: Quebec, Canada
Nice to see Apple was on top of things and that some people were ranting over nothing.
__________________
"What you leave behind is not what is engraved in stone monuments, but what is woven into the lives of others."
-- Pericles
KnightWRX is offline   -1 Reply With Quote
Old Sep 9, 2011, 12:26 PM   #4
lucascampelo
macrumors newbie
 
Join Date: Feb 2011
Quote:
Originally Posted by tigres View Post
Why the big file size difference?
Actually, depends on the system. I'm running lion on a macbook air 2011 and it was only a couple hundred KB..
lucascampelo is offline   1 Reply With Quote
Old Sep 9, 2011, 12:27 PM   #5
applefan289
macrumors 68000
 
Join Date: Aug 2010
Location: USA
Yeah, mine took no time to download and I'm on a 27" iMac running Lion...so it must have only been a few kilobytes for me.
applefan289 is offline   0 Reply With Quote
Old Sep 9, 2011, 12:29 PM   #6
iekozz
macrumors member
 
Join Date: Nov 2009
Location: Amsterdam
Little note: If you're using Chrome or Firefox on OS X, you where already protected. But it's nice that Apple has finally released a security update for OS X.
iekozz is offline   3 Reply With Quote
Old Sep 9, 2011, 12:29 PM   #7
Rocketman
macrumors 603
 
Rocketman's Avatar
 
Join Date: Dec 2001
Location: Claremont, CA
Something this serious should see updates to Leopard and Tiger as well since some in-service computers require older OS's.
__________________
Think Different-ly!
All 357 R or D House jobs bills over 4 years died in the D Senate, ordered by the D President. Buy a model rocket here: http://v-serv.com/usr/instaship-visual.htm Thanks.
Rocketman is offline   4 Reply With Quote
Old Sep 9, 2011, 12:30 PM   #8
MJedi
macrumors 6502
 
Join Date: Dec 2010
Location: WA
Do the compromised certificates only exist on Snow Leopard and Lion?

What about Leopard?
__________________
13-inch MacBook Air Core i7 (Mid 2013) | 15-inch MacBook Pro 2.4Ghz (Mid 2007) | 20-inch iMac (Early 2009) | iPad mini Wi-Fi+4G LTE (32GB) | iPhone 5s (64GB)
MJedi is offline   3 Reply With Quote
Old Sep 9, 2011, 12:31 PM   #9
tigress666
macrumors 68040
 
Join Date: Apr 2010
Location: Washington State
Quote:
Originally Posted by KnightWRX View Post
Nice to see Apple was on top of things and that some people were ranting over nothing.
It took them long enough, everyone else already had it covered.

So, I think it is still a valid rant.
__________________
2010 Macbook Pro, 2007 Macbook, gutted out Gateway (still a PC, only case is original) that needs an OS installed on it, 400 MHz G4, non working Macintosh Performa (I really should chuck that one).
tigress666 is offline   0 Reply With Quote
Old Sep 9, 2011, 12:31 PM   #10
KnightWRX
macrumors Pentium
 
KnightWRX's Avatar
 
Join Date: Jan 2009
Location: Quebec, Canada
Quote:
Originally Posted by Rocketman View Post
Something this serious should see updates to Leopard and Tiger as well since some in-service computers require older OS's.
Like stated previously, don't use Safari, use Chrome or Firefox on an older computer while they are still supported.

Commercial vendors are quicker to end of life software than the open source community, it's just the way of the world unfortunately.

Quote:
Originally Posted by tigress666 View Post
It took them long enough, everyone else already had it covered.

So, I think it is still a valid rant.
Seeing how the article is a day old and this patch comes along, seems to me they were late rather than "not on top of things".

They didn't start working on this yesterday, maybe they caught something in Q&A that delayed things a bit. It's just the reality of software development.
__________________
"What you leave behind is not what is engraved in stone monuments, but what is woven into the lives of others."
-- Pericles
KnightWRX is offline   -2 Reply With Quote
Old Sep 9, 2011, 12:35 PM   #11
stanton
macrumors member
 
Join Date: Jan 2008
Location: Philly
Quote:
Originally Posted by KnightWRX View Post
Nice to see Apple was on top of things and that some people were ranting over nothing.
I wouldn't say they were ranting for nothing especially if you live in Iran, where most of the poisoned DNS servers were located. They had control of every .com, .org, and allot of individual certificates for google.com, facebook.com, etc... Everyone in that country now should change every username/password just to make sure that they didn't accidentally give thier bank info to a 3rd party.

For the complete list you can read the IT analysis at: http://www.rijksoverheid.nl/bestande...tulip-v1-0.pdf

Last edited by stanton; Sep 9, 2011 at 12:49 PM.
stanton is offline   2 Reply With Quote
Old Sep 9, 2011, 12:42 PM   #12
Custommm
macrumors member
 
Join Date: May 2009
It's about time!

Why Apple taking so much time addressing those issue.... You guys a lagging big time! Still love you soooo much . But switch gear regarding security update!!!!
Custommm is offline   -1 Reply With Quote
Old Sep 9, 2011, 12:49 PM   #13
mysticalos
macrumors member
 
Join Date: May 2007
this update appears to be in 10.7.2 already that was seeded a week ago, so that means apple has had fix ready for at least 7 days, so if they delayed it for 10.7.1 they probably had a reason.
mysticalos is offline   0 Reply With Quote
Old Sep 9, 2011, 12:51 PM   #14
FourCandles
macrumors 6502a
 
Join Date: Feb 2009
Location: England
Quote:
Originally Posted by applefan289 View Post
Yeah, mine took no time to download and I'm on a 27" iMac running Lion...so it must have only been a few kilobytes for me.
Likewise, I'm on Snow Leopard and update was 188KB.
FourCandles is offline   0 Reply With Quote
Old Sep 9, 2011, 01:04 PM   #15
AppliedMicro
macrumors 6502a
 
Join Date: Aug 2008
Quote:
Originally Posted by KnightWRX View Post
They didn't start working on this yesterday, maybe they caught something in Q&A that delayed things a bit.
Removing compromised root certificates isn't rocket science.

There is simply no excuse for Apple taking almost two weeks longer than Microsoft to release this update - with Microsoft having to cover way more OS releases and update/service pack configurations than Apple.
AppliedMicro is offline   6 Reply With Quote
Old Sep 9, 2011, 01:12 PM   #16
doboy
macrumors 65816
 
Join Date: Jul 2007
Now we just need the update for Safari on iOS devices
__________________
iPhone 2G, 3GS, 4 | 15" MB Pro & 13" MBA | Apple TV2 | iPad 1, 2, 3, Air (kept), & rMini (returned) | GSIII, Note II, & LG G2

Thank you Steve for
doboy is offline   3 Reply With Quote
Old Sep 9, 2011, 01:14 PM   #17
8CoreWhore
macrumors 68000
 
8CoreWhore's Avatar
 
Join Date: Jan 2008
Location: Big D
Apple is a week behind everyone else! Irresponsible!
__________________
Late 2013 Haswell 15" rMBP... iPhone 5S iOS7... AEBS 802.11AC ... iPod Shuffle...
8CoreWhore is offline   1 Reply With Quote
Old Sep 9, 2011, 01:17 PM   #18
brdeveloper
macrumors 68000
 
brdeveloper's Avatar
 
Join Date: Apr 2010
Location: Brasil
Apple is not ready to have its OSX as popular as Microsoft Windows.
__________________
15" rMBP Early-2013, 2.4GHz. After 3 display replacements, I'm still seeing uniformity problems.
2009 Unibody White MacBook, 250GB 840 EVO SSD, 8GB
Mid-2010 MacMini, 480GB Crucial M500 SSD, 16GB
brdeveloper is offline   4 Reply With Quote
Old Sep 9, 2011, 01:22 PM   #19
igazza
macrumors 6502a
 
Join Date: Aug 2007
Location: earth
small update, but not the smallest
__________________
igazza is offline   0 Reply With Quote
Old Sep 9, 2011, 01:31 PM   #20
blackburn
macrumors 6502a
 
blackburn's Avatar
 
Join Date: Feb 2010
Location: Where Judas lost it's boots.
I've disabled that certificate and many useless ones weeks ago. Even linux was updated first.
__________________
Lenovo ThinkPad + Nexus 7 (2nd Gen)
blackburn is offline   0 Reply With Quote
Old Sep 9, 2011, 01:36 PM   #21
3bs
macrumors 603
 
3bs's Avatar
 
Join Date: May 2011
Location: Dublin, Ireland
Quote:
Originally Posted by igazza View Post
small update, but not the smallest
How small can it get? it was 188kb for me on 2010 MBA running Lion
3bs is offline   0 Reply With Quote
Old Sep 9, 2011, 01:40 PM   #22
goosnarrggh
macrumors 68000
 
Join Date: May 2006
Quote:
Originally Posted by KnightWRX View Post
Like stated previously, don't use Safari, use Chrome or Firefox on an older computer while they are still supported.
If you're still using Tiger or Leopard, odds are you're doing so because your hardware cannot support Snow Leopard or Lion. (There are always exceptions, and for these, I apologize for the generalization.)

These people must be running PPC-based Macs, and therefore cannot run any of the official releases of Chrome at all. (I'm not sure if anybody's unofficially compiled open source Chromium for PPC Mac OS X.)

However, official builds of Firefox 3.6.x runs on all Macs, including PPC models, going all the way back to Tiger. And there's already a Firefox 3.6.x patch to fix this problem.

And there are 3rd party builds based upon Firefox, not under Mozilla's direct control, using the same codebase as Firefox 4/5/6/7, which are compatible with all G3, G4, and G5 Macs running Tiger and Leopard with at least 512 MB of RAM. I know of at least one which released a 6.0.1 patch containing this fix.

(By the way: I certainly hope that all PPC Mac users out there have uninstalled their Flash players by now. It is now a dangerous source of open security flaws which Adobe has NO plans to EVER fix.)

----------

Quote:
Originally Posted by blackburn View Post
I've disabled that certificate and many useless ones weeks ago. Even linux was updated first.
Apparently, there's an unexpected behaviour in OS X: Even after you've used the Keychain manager to manually revoke a certificate authority, if Safari encounters a so-called "Extended Validation" certificate, it will ignore the fact that you've revoked the CA and silently accept the certificate anyway.

Presumably, this fix for Snow Leopard and Lion gets around this quirk.
goosnarrggh is offline   1 Reply With Quote
Old Sep 9, 2011, 01:42 PM   #23
blackburn
macrumors 6502a
 
blackburn's Avatar
 
Join Date: Feb 2010
Location: Where Judas lost it's boots.
Quote:
Originally Posted by goosnarrggh View Post
Apparently, there's an unexpected behaviour in OS X: Even if you've manually revoked a certificate authority, if Safari encounters a so-called "Extended Validation" certificate, it will ignore the fact that you've revoked the CA and silently accept the certificate anyway.

Presumably, this fix for Snow Leopard and Lion gets around this quirk.
Yay for not using safari
__________________
Lenovo ThinkPad + Nexus 7 (2nd Gen)
blackburn is offline   0 Reply With Quote
Old Sep 9, 2011, 01:43 PM   #24
MacNut
macrumors P6
 
MacNut's Avatar
 
Join Date: Jan 2002
Location: CT
I stopped using Safari and switched to Chrome, a much better browser IMO.
__________________
The thoughts in my head are rated TV-MA. Viewer discretion is advised.
Now batting, Number 2 Derek Jeter, Number 2
MacNut is offline   0 Reply With Quote
Old Sep 9, 2011, 01:43 PM   #25
Daveoc64
macrumors 601
 
Join Date: Jan 2008
Location: Bristol, UK
Quote:
Originally Posted by KnightWRX View Post
Nice to see Apple was on top of things and that some people were ranting over nothing.
Being the last major vendor to release an update is not "being on top of things". Even Adobe moved faster.

iOS is still vulnerable.
__________________
Nexus 5 32GB Black (Three UK) | Nexus 7 (2012) | Kindle Paperwhite (2013)
iPhone 4 32GB
White MacBook (Late 2007)
Windows 8.1 | iCloud, Dropbox, Spotify Premium
Daveoc64 is offline   1 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > MacRumors.com News Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Apple Releases Mail Update for Mavericks to Address Gmail Issues MacRumors MacRumors.com News Discussion 207 Nov 20, 2013 04:47 AM
Apple Releases Security Update 2013-001 for Snow Leopard and Lion MacRumors Mac Blog Discussion 37 Apr 1, 2013 12:38 AM
Oracle Releases Java 7 Update 13 to Address Security Issues, Reenable Web Plug-in on OS X MacRumors MacRumors.com News Discussion 134 Feb 17, 2013 12:40 PM
Adobe Releases Flash Player Update to Patch Security Holes as Apple Blocks Earlier Versions MacRumors MacRumors.com News Discussion 162 Feb 15, 2013 09:48 PM
Oracle Releases Patch to Address Security Vulnerability in Java 7 MacRumors MacRumors.com News Discussion 63 Sep 5, 2012 01:02 PM

Forum Jump

All times are GMT -5. The time now is 06:56 PM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC