Apple releases security updates to invalidate the fraudulent certificates

Apple finaly released the security update Security Update 2011-005 for its products in order to address the incidents with the fraudulent certificates that were issued by multiple certificate authorities operated by DigiNotar. The problems with these certificates have been already addressed twice in the last two weeks, last time we were noticing that the only vendor which didn’t invalidate the certificates was Apple.

As expected, now Apple has released the updates available for  Mac OS X v10.6.8, Mac OS X Server v10.6.8,OS X Lion v10.7.1, OS X Lion Server v10.7.1. Apple did what everybody else already did last week – they removed DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and configured default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.

As mentioned already, the measure is very drastic, but necessary. The incident at Diginotar has created an effect like a cold shower through the security industry. What everybody has taken for years as granted – the security certificates are by definition trusted – has been proven to be far away from the expectations. From now on, the old saying „trust is good, control is better“ has to be applied also to the …  „previously trusted“ certificate publishers.

Please update your Mac by means of  automatic updates  or download the files manually and install them:

  • Mac OS X v10.6.8 and Mac OS X Server v10.6.8 : SecUpd2011-005Snow.dmg
  • OS X Lion v10.7.1 and OS X Lion Server v10.7.1 : SecUpd2011-005Lion.dmg

 

Sorin Mustaca

Data Security Expert