Apple patches OS X for DigiNotar threat
Security update released following criticism over response to stolen SSLs
By Loek Essers | Published: 12:19, 12 September 2011
Apple is rolling out an OS X patch to deal with the DigiNotar fiasco following criticism last week about their slow response to the security threat posed by a hacker stealing SSL (secure socket layer) certificates.
Apple announced the patch in a security update bulletin. "Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted," stated the bulletin published on Friday.
The patch is available for Mac OS X, Mac OS X Server, OS X Lion and Lion Server. Apple's patch follows the revoking of DigiNotar as a trusted SSL (Secure Sockets Layer) certificate provider by Microsoft and browser makers Google and Mozilla earlier this month.
Related Articles on Techworld
"For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available," Apple added to the page detailing the patch. That message is standard practice in Apple's security bulletins.
"It is disturbing that Apple does not communicate about security issues," said Roel Schouwenberg, security researcher at Kaspersky, in a phone interview. Apple keeps users in the dark until there is a patch available. "That is really old-fashioned," said Schouwenberg. Apple is "certainly very late" with the security update, he said.
"We also still don't know what is going on with iOS," Schouwenberg added. It is still unclear whether Apple will revoke certificates on the iPhone or the iPad. The same goes for Google's Android. Schouwenberg called this "very strange."
He pointed out that smartphones are basically computers and that most companies use the phones to handle corporate email. "If they are not releasing updates for mobile phones then that should certainly be substantiated," said Schouwenberg.
Google and Apple did not immediately comment.