Categories: MacSecurityWorkspace

Apple Finally Reacts To DigiNotar Hack

Apple has revoked all DigiNotar security certificates by issuing a Mac OS X update in response to the hack of the Dutch SSL certificate authority.

The iMac and MacBook-maker issued the update for Snow Leopard (10.6) and Lion (10.7) users on Friday in order to ensure all certificates from the compromised CA would no longer be trusted.

Apple is the last of the major web browsers to react to the threat from the DigitNotar hack

Apple’s update page says: “Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.”

The same page also spells out the threat posed by not updating, saying: “An attacker with a privileged network position may intercept user credentials or other sensitive information.”

Playing catch up

Until this update Apple was lagging Mozilla, Microsoft and Google in responding to the crisis, with its competitors having each begun invalidating DigiNotar certificates through their web browsers by this time last week.

But Chester Wisniewski, senior security advisor at Sophos Canada, wrote on the Naked Security blog that neither Apple, Microsoft, Google nor RIM had moved to protect their mobile user, presenting an opportunity for Apple.

“This is an opportunity for Apple to get ahead of the competition. It is much easier for Apple to patch iDevices then Google to fix Androids, get the handset makers to apply the fixes and then convince the carriers to deploy the updates,” he wrote.

The DigiNotar attack emerged on the 30 August revealed that a fraudulent Google certificate reportedly issued by DigiNotar had been doing the rounds since 10 July.

This meant that for nearly two months hackers had been able to set up fake versions of Google websites that appeared genuine to Google users and their web browsers.

Wide reaching problem

Last week the extent of the compromise appeared to include certificates in the names of the CIA, MI6, Google, Facebook, Twitter, Microsoft, Skype, Mozilla, Yahoo, Tor, WordPress, Mossad, AOL and LogMeIn and DigiNotar had been removed from many of the browser brands’ lists of trusted authorities.

The number of certificates stolen from DigitNotar is said to be more than 500 and they may include intermediate signing certificates. These allow authority to be assigned to intermediaries to sign and validate certificates on DigiNotar’s behalf.

When properly administered, SSL certificates are the only proof that you are talking to the organisation you are supposed to be talking to on the Internet and no-one is listening in.

David Jamieson

Recent Posts

Apple Sales Rise 6 Percent After Early iPhone 16 Demand

Fourth quarter results beat Wall Street expectations, as overall sales rise 6 percent, but EU…

24 hours ago

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago