Apple’s Mac OS X Security Update 2011-005 blocks stolen DigiNotar certificates

Sep 9, 2011
0

Apple has issued a security update for Mac OS X 10.7 Lion and 10.6 Snow Leopard that will address the fraudulent security certificates issue resulting from the recent hack of DigiNotar. The Dutch company sells SSL certificates to major companies around the world, but had over 500 of the certificates stolen when its servers were breached back in July.

The stolen security certificates included those owned by the CIA, MI6, Yahoo, Skype, Facebook, Twitter, and Microsoft. There's also one from Google that could be used to impersonate services like Gmail. An attacker using the stolen certificate on a website could gain access to intercept your credentials and sensitive information.

The release includes versions for Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion 10.7.1, and Lion Server 10.7.1. The fix is at the root level and configures the default system trust settings to not trust any certificates issued by DigiNotar. You can download the update here. The following is the full description:

Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.

[via Cult of Mac]


Must Read Bits & Bytes