Feeds

iOS, Mac, Android users still vulnerable to bogus certs

Apple and Google inaction in wake of DigiNotar breach

SANS - Survey on application security programs

Eight days after the discovery that a fraudulently issued web credential actively targeted Iranians as they accessed their Gmail accounts, millions of people who rely on Google and Apple products remain vulnerable to similar attacks.

The inaction of Google in updating its Android operating system and Apple in making changes to its iOS and Mac OS X is even more striking given a report issued Monday that found that a security breach on Dutch firm DigiNotar minted at least 530 additional counterfeit certificates for domains including addons.mozilla.org, Skype, and various Microsoft update sites.

While updates issued over the past week have protected users of the major browsers and email clients, users of Google Android–based devices, iPhones, iPads, and Apple Safari on Mac remain susceptible unless they take special precautions.

“Apple is characteristically quiet again when it comes to security and at a time when its users need their help most of all,” Andrew Storms, director of security operations at nCircle, wrote in an email. “Users are left going the unofficial route looking for experts outside of Apple to tell them how to protect themselves.”

Apple has steadfastly declined to comment on unpatched security vulnerabilities in its products.

Developers of Google's Chrome browser have done a good job of communicating the risks users face from the fraudulently issued DigiNotar certificates. In the past week, as additional information has come to light, they have issued two updates designed to prevent the bogus credentials from being accepted by the browser when users encounter them.

Google officials have been considerably more inert when it comes to threats the certificates pose to users of Android, the world's most widely used smartphone OS. A Google spokesman declined to comment for this post.

Android users who want to take security matters into their own hands can install the latest version of WhisperCore, a privacy app that will block most SSL certificates signed by DigiNotar. In the next 24 hours, an update will block all remaining certificates, which weren't filtered until the weekend, when the Dutch government backed away from assurances that they weren't affected by the DigiNotar security breach.

A bug in the OS X keychain software makes it hard for Mac users to completely distrust certificates signed by DigiNotar. Until Apple issues a patch, users can follow instructions here to protect themselves. They can also stop using Safari and instead use Chrome or Firefox. It's unclear what steps users of Apple's iDevices can take to block the bogus certificates. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
WTF happened to Pac-Man?
In his thirties and still afraid of ghosts
Reg man builds smart home rig, gains SUPREME CONTROL of DOMAIN – Pics
LightwaveRF and Arduino: Bright ideas for dim DIYers
Leaked pics show EMBIGGENED iPhone 6 screen
Fat-fingered fanbois rejoice over Chinternet snaps
Apple patent LOCKS drivers out of their OWN PHONES
I'm sorry Dave, I'm afraid I can't let you text that
Microsoft signs Motorola to Android patent pact – no, not THAT Motorola
The part that Google never got will play ball with Redmond
Slip your finger in this ring and unlock your backdoor, phone, etc
Take a look at this new NFC jewellery – why, what were you thinking of?
Happy 25th birthday, Game Boy!
Monochrome handset ushered in modern mobile gaming era
Rounded corners? Pah! Amazon's '3D phone has eye-tracking tech'
Now THAT'S what we call a proper new feature
Zucker punched: Google gobbles Facebook-wooed Titan Aerospace
Up, up and away in my beautiful balloon flying broadband-bot
prev story

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.