Apple Releases Security Update 2011-005 for OS X to Address Compromised Certificates

[Mr. Retrofire]

Nice to see Apple was on top of things and that some people were ranting over nothing.

Over nothing?

OK.

Institutions which used DigiNotar SSL/TLS certificates included:
The MI 6, the CIA, the Mossad, the Dutch government, Google (many apps including the search function via https://encrypted.google.com/), Microsoft (hotmail, live.com, windowsupdate.com), Mozilla Foundation, Yahoo, Skype and many others. The security hole affects a few 100 million users worldwide.

An example:
http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html

...some people were ranting over nothing.

Yeah right.

 

[Negritude]

Also, if you want to be completely safe on 10.5 and earlier, you should remove DigiNotar's Extended Validation Certificate listing from EVRoots.plist. To edit that file you need to be root, and the simplest way I found was to enter the following command in a terminal:

sudo "/Developer/Applications/Utilities/Property List Editor.app/Contents/MacOS/Property List Editor" /System/Library/Keychains/EVRoots.plist

This gives the Property List Editor the necessary privileges to be able to save the file once you're done editing. Your copy of the PLE may be located in a different directory, and if so, you'll need to change the path appropriately.

Now look for the line that has this number:

2.16.528.1.1001.1.1.1.12.6.1.1.1

Select it. Then click Delete in the menu. Then exit the Property List Editor. You'll be asked to save the file before it closes.

 

[Mr. Retrofire]

Seems DigiNotar may not be the only target.

Where to from here? Who are the other 3?

http://www.globalsign.com/company/press/090611-security-response.html

From:
http://pastebin.com/1AxH30em

You know, I have access to 4 more so HIGH profile CAs, which I can issue certs from them too which I will, I won't name them, I also had access to StartCom CA, I hacked their server too with so sophisticated methods, he was lucky by being sitted in front of HSM for signing, I will name just one more which I still have access: GlobalSign, let me use these accesses and CAs, later I'll talk about them too..

Found via < 5 seconds google search.

----------

Why Apple taking so much time addressing those issue...

This must be the NSA guy, which works now for Apple.

*ROTFLMAO*

 

[bradl]

Likewise, I'm on Snow Leopard and update was 188KB.

Lion on my 2011 MBA. 16KB for me.

BL.

 

[benthewraith]

Something this serious should see updates to Leopard and Tiger as well since some in-service computers require older OS's.

Open Keychain, find DigiNotar, set to never trust.

 

[Kar98]

Wirelessly posted (Mozilla/5.0 (iPod; U; CPU iPhone OS 3_1_3 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7E18 Safari/528.16)

No way I'm switching to FireFox or Chrome… I don't like tabbed browsing, and Safari seems to have a better UI than the other ones… I do have FireFox installed for some of the plugind…

I even use Safari in parallels…

Seems silly. You don't /have/ to use tabbed browsing (not gonna try to convince you otherwise), but saying Safari has a better UI than Firefox? That's just silly. Oh well, if it wasn't for people like you, I wouldn't get to eat. So, please do carry on.

 

[Shrink]

"To install the updates, you must restart your computer."

I know I must be missing something. I don't understand why the big deal is about doing a restart. So many people make a fuss about it. So it takes a minute, even two.

Is there something other than a two minute inconvenience that gets so many folks upset?

If not - believe me, life is too short to so bent out of shape about two minutes.

 

[vpndev]

Requires 10.6.8

The Snow Leopard version REQUIRES 10.6.8.

I remain on 10.6.6 and it refuses to install.

Bad move, Apple. You should NOT use a Security Update to force people to update.

 

[vitzr]

Although it took Apple far longer to respond, at least they did something finally.

 

[adder7712]

Oh, I think that's the reason why Firefox is at 6.0.2 and release notes are talking about compromised security certs. Chrome probably updated without me knowing.

The Snow Leopard version REQUIRES 10.6.8.

I remain on 10.6.6 and it refuses to install.

Bad move, Apple. You should NOT use a Security Update to force people to update.

The question is, why are you on 10.6.6?

 

[MacTech68]

Seems DigiNotar may not be the only target.

Where to from here? Who are the other 3?

http://www.globalsign.com/company/press/090611-security-response.html

On Sep 5th 2011 the individual/group previously confirmed to have hacked several Comodo resellers, claimed responsibility for the recent DigiNotar hack. In his message posted on Pastebin, he also referred to having access to 4 further high profile Certificate Authorities, and named GlobalSign as one of the 4.

From:
http://pastebin.com/1AxH30em

You know, I have access to 4 more so HIGH profile CAs, which I can issue certs from them too which I will, I won't name them, I also had access to StartCom CA, I hacked their server too with so sophisticated methods, he was lucky by being sitted in front of HSM for signing, I will name just one more which I still have access: GlobalSign, let me use these accesses and CAs, later I'll talk about them too..

Found via < 5 seconds google search.

Uhuh... I already quoted and linked to GlobalSign. Found in less than 1 second by reading my post. You found StartCom which it seems he wasn't able to completely compromise. That still leaves the 4 which he won't name, then decides to name 1 of the 4. That still leaves 3 unnamed. At least, that's how I (and GlobalSign) read it.

 

[OakDragon]

This so-called "security update" did not ask me to enter my username and password before installing. (Via Software Update, onto 10.6.8)

 

[AidenShaw]

This so-called "security update" did not ask me to enter my username and password before installing. (Via Software Update, onto 10.6.8)

Uh-oh. You got the Chinese download....

 

[munkery]

This so-called "security update" did not ask me to enter my username and password before installing. (Via Software Update, onto 10.6.8)

Very few updates prompt for authentication anymore. This is because the updates are code signed and verified via a checksum prior to installation.

 

[OakDragon]

Very few updates prompt for authentication anymore. This is because the updates are code signed and verified via a checksum prior to installation.

Hmm, I hadn't noticed that. Thanks for the heads-up.

 

[JackieTreehorn]

Just wondering: I deleted everything from Diginotar in my keychain. What does this update add?

 

[AnonMac50]

The Snow Leopard version REQUIRES 10.6.8.

I remain on 10.6.6 and it refuses to install.

Bad move, Apple. You should NOT use a Security Update to force people to update.

Same here, except on 10.6.7 and I don't want to install 10.6.8.

 

[Sjhonny]

Seems DigiNotar may not be the only target.

Where to from here? Who are the other 3?

http://www.globalsign.com/company/press/090611-security-response.html

The GlobalSign hacker only gained access to the Web-server. He wasn't able to generate any certificates of his own.

 

[MacTech68]

The GlobalSign hacker only gained access to the Web-server. He wasn't able to generate any certificates of his own.

So far so good.

 

[jonnysods]

Security patches are always welcomed!!

 

[gnasher729]

"To install the updates, you must restart your computer."

And what happens in Lion if you restart your computer?

Open Keychain, find DigiNotar, set to never trust.

Just remove it completely.

 

[MagnusVonMagnum]

Nice to see Apple was on top of things and that some people were ranting over nothing.

Yes, I love the way they patched Leopard for those ancient PPC machines! I guess those users don't deserve any security. They still update iTunes, though. I guess they want those music and movie sales.

I'm still getting security updates for Microsoft's operating system that came out at the beginning of this century. I guess one can't expect that level of service from tiny, insignificant Apple. After all, you're supposed to buy new hardware every year from them or simply expect zero support.

 

[doctor-don]

The Snow Leopard version REQUIRES 10.6.8.

I remain on 10.6.6 and it refuses to install.

Bad move, Apple. You should NOT use a Security Update to force people to update.

And I remain at 10.5.8, so no SU notice of this security update.

Oh, I think that's the reason why Firefox is at 6.0.2 and release notes are talking about compromised security certs. Chrome probably updated without me knowing.



The question is, why are you on 10.6.6?

The question might be put to you, Why should I install 10.6.x?

 

[doctor-don]

And what happens in Lion if you restart your computer?




Just remove it completely.

Weird quote.

For those of us who don't delve into the inner workings that often, how does one Open Keychain and remove / modify a particular entry? And where is the keychain supposed to be located? I find that several exist.

 

[benthewraith]

Weird quote.

For those of us who don't delve into the inner workings that often, how does one Open Keychain and remove / modify a particular entry? And where is the keychain supposed to be located? I find that several exist.

Keychain is in utilities. You can also get there from Spotlight. You can perform a search in Keychain for DigiNotar. You can right click and delete it. Or you can double click and look in the window that pops up. Look for the drop down for trust and set it to never.