Feeds

iOS, Mac, Android users still vulnerable to bogus certs

Apple and Google inaction in wake of DigiNotar breach

Secure remote control for conventional and virtual desktops

Eight days after the discovery that a fraudulently issued web credential actively targeted Iranians as they accessed their Gmail accounts, millions of people who rely on Google and Apple products remain vulnerable to similar attacks.

The inaction of Google in updating its Android operating system and Apple in making changes to its iOS and Mac OS X is even more striking given a report issued Monday that found that a security breach on Dutch firm DigiNotar minted at least 530 additional counterfeit certificates for domains including addons.mozilla.org, Skype, and various Microsoft update sites.

While updates issued over the past week have protected users of the major browsers and email clients, users of Google Android–based devices, iPhones, iPads, and Apple Safari on Mac remain susceptible unless they take special precautions.

“Apple is characteristically quiet again when it comes to security and at a time when its users need their help most of all,” Andrew Storms, director of security operations at nCircle, wrote in an email. “Users are left going the unofficial route looking for experts outside of Apple to tell them how to protect themselves.”

Apple has steadfastly declined to comment on unpatched security vulnerabilities in its products.

Developers of Google's Chrome browser have done a good job of communicating the risks users face from the fraudulently issued DigiNotar certificates. In the past week, as additional information has come to light, they have issued two updates designed to prevent the bogus credentials from being accepted by the browser when users encounter them.

Google officials have been considerably more inert when it comes to threats the certificates pose to users of Android, the world's most widely used smartphone OS. A Google spokesman declined to comment for this post.

Android users who want to take security matters into their own hands can install the latest version of WhisperCore, a privacy app that will block most SSL certificates signed by DigiNotar. In the next 24 hours, an update will block all remaining certificates, which weren't filtered until the weekend, when the Dutch government backed away from assurances that they weren't affected by the DigiNotar security breach.

A bug in the OS X keychain software makes it hard for Mac users to completely distrust certificates signed by DigiNotar. Until Apple issues a patch, users can follow instructions here to protect themselves. They can also stop using Safari and instead use Chrome or Firefox. It's unclear what steps users of Apple's iDevices can take to block the bogus certificates. ®

The essential guide to IT transformation

More from The Register

next story
So, Apple won't sell cheap kit? Prepare the iOS garden wall WRECKING BALL
It can throw the low cost race if it looks to the cloud
Samsung Gear S: Quick, LAUNCH IT – before Apple straps on iWatch
Full specs for wrist-mounted device here ... but who'll buy it?
Apple promises to lift Curse of the Drained iPhone 5 Battery
Have you tried turning it off and...? Never mind, here's a replacement
Now that's FIRE WIRE: HP recalls 6 MILLION burn-risk laptop cables
Right in the middle of Burning Mains Man week
HUGE iPAD? Maybe. HUGE ADVERTS? That's for SURE
Noo! Hand not big enough! Don't look at meee!
AMD unveils 'single purpose' graphics card for PC gamers and NO ONE else
Chip maker claims the Radeon R9 285 is 'best in its class'
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?