Apple Releases Security Update 2011-005 for OS X to Address Compromised Certificates

[MacRumors]

Apple today released Security Update 2011-005 for OS X, a small update addressing a specific security issue related to fraudulent certificates from DigiNotar.

Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.

DigiNotar's servers were compromised several weeks ago, with hackers obtaining access to hundreds of certificates. Apple has been criticized for being slow to respond to the issue, but is now doing so today by revoking DigiNotar's status as a trusted source.

DigiNotar, one of hundreds of firms authorized to issue digital certificates that authenticate a website's identity, admitted on Aug. 30 that its servers were compromised weeks earlier. A report made public Monday said that hackers had acquired 531 certificates, including many used by the Dutch government, and that DigiNotar was unaware of the intrusion for weeks.

Available updates include:

- Security Update 2011-005 (Lion) (15.59 MB)
- Security Update 2011-005 (Snow Leopard) (869 KB)


Article Link: Apple Releases Security Update 2011-005 for OS X to Address Compromised Certificates

 

[tigres]

Why the big file size difference?

 

[KnightWRX]

Nice to see Apple was on top of things and that some people were ranting over nothing.

 

[lucascampelo]

Why the big file size difference?

Actually, depends on the system. I'm running lion on a macbook air 2011 and it was only a couple hundred KB..

 

[applefan289]

Yeah, mine took no time to download and I'm on a 27" iMac running Lion...so it must have only been a few kilobytes for me.

 

[iekozz]

Little note: If you're using Chrome or Firefox on OS X, you where already protected. But it's nice that Apple has finally released a security update for OS X.

 

[Rocketman]

Something this serious should see updates to Leopard and Tiger as well since some in-service computers require older OS's.

 

[MJedi]

Do the compromised certificates only exist on Snow Leopard and Lion?

What about Leopard?

 

[tigress666]

Nice to see Apple was on top of things and that some people were ranting over nothing.

It took them long enough, everyone else already had it covered.

So, I think it is still a valid rant.

 

[KnightWRX]

Something this serious should see updates to Leopard and Tiger as well since some in-service computers require older OS's.

Like stated previously, don't use Safari, use Chrome or Firefox on an older computer while they are still supported.

Commercial vendors are quicker to end of life software than the open source community, it's just the way of the world unfortunately.

It took them long enough, everyone else already had it covered.

So, I think it is still a valid rant.

Seeing how the article is a day old and this patch comes along, seems to me they were late rather than "not on top of things".

They didn't start working on this yesterday, maybe they caught something in Q&A that delayed things a bit. It's just the reality of software development.

 

[stanton]

Nice to see Apple was on top of things and that some people were ranting over nothing.

I wouldn't say they were ranting for nothing especially if you live in Iran, where most of the poisoned DNS servers were located. They had control of every .com, .org, and allot of individual certificates for google.com, facebook.com, etc... Everyone in that country now should change every username/password just to make sure that they didn't accidentally give thier bank info to a 3rd party.

For the complete list you can read the IT analysis at: http://www.rijksoverheid.nl/bestand...rapport-fox-it-operation-black-tulip-v1-0.pdf

 

[Custommm]

It's about time!

Why Apple taking so much time addressing those issue.... You guys a lagging big time! Still love you soooo much . But switch gear regarding security update!!!!

 

[mysticalos]

this update appears to be in 10.7.2 already that was seeded a week ago, so that means apple has had fix ready for at least 7 days, so if they delayed it for 10.7.1 they probably had a reason.

 

[FourCandles]

Yeah, mine took no time to download and I'm on a 27" iMac running Lion...so it must have only been a few kilobytes for me.

Likewise, I'm on Snow Leopard and update was 188KB.

 

[AppliedMicro]

They didn't start working on this yesterday, maybe they caught something in Q&A that delayed things a bit.

Removing compromised root certificates isn't rocket science.

There is simply no excuse for Apple taking almost two weeks longer than Microsoft to release this update - with Microsoft having to cover way more OS releases and update/service pack configurations than Apple.

 

[doboy]

Now we just need the update for Safari on iOS devices

 

[8CoreWhore]

Apple is a week behind everyone else! Irresponsible!

 

[brdeveloper]

Apple is not ready to have its OSX as popular as Microsoft Windows.

 

[igazza]

small update, but not the smallest

 

[blackburn]

I've disabled that certificate and many useless ones weeks ago. Even linux was updated first.

 

[3bs]

small update, but not the smallest

How small can it get? it was 188kb for me on 2010 MBA running Lion

 

[goosnarrggh]

Like stated previously, don't use Safari, use Chrome or Firefox on an older computer while they are still supported.

If you're still using Tiger or Leopard, odds are you're doing so because your hardware cannot support Snow Leopard or Lion. (There are always exceptions, and for these, I apologize for the generalization.)

These people must be running PPC-based Macs, and therefore cannot run any of the official releases of Chrome at all. (I'm not sure if anybody's unofficially compiled open source Chromium for PPC Mac OS X.)

However, official builds of Firefox 3.6.x runs on all Macs, including PPC models, going all the way back to Tiger. And there's already a Firefox 3.6.x patch to fix this problem.

And there are 3rd party builds based upon Firefox, not under Mozilla's direct control, using the same codebase as Firefox 4/5/6/7, which are compatible with all G3, G4, and G5 Macs running Tiger and Leopard with at least 512 MB of RAM. I know of at least one which released a 6.0.1 patch containing this fix.

(By the way: I certainly hope that all PPC Mac users out there have uninstalled their Flash players by now. It is now a dangerous source of open security flaws which Adobe has NO plans to EVER fix.)

----------

I've disabled that certificate and many useless ones weeks ago. Even linux was updated first.

Apparently, there's an unexpected behaviour in OS X: Even after you've used the Keychain manager to manually revoke a certificate authority, if Safari encounters a so-called "Extended Validation" certificate, it will ignore the fact that you've revoked the CA and silently accept the certificate anyway.

Presumably, this fix for Snow Leopard and Lion gets around this quirk.

 

[blackburn]

Apparently, there's an unexpected behaviour in OS X: Even if you've manually revoked a certificate authority, if Safari encounters a so-called "Extended Validation" certificate, it will ignore the fact that you've revoked the CA and silently accept the certificate anyway.

Presumably, this fix for Snow Leopard and Lion gets around this quirk.

Yay for not using safari

 

[MacNut]

I stopped using Safari and switched to Chrome, a much better browser IMO.

 

[Daveoc64]

Nice to see Apple was on top of things and that some people were ranting over nothing.

Being the last major vendor to release an update is not "being on top of things". Even Adobe moved faster.

iOS is still vulnerable.