Feeds

Apple finally purges Mac OS of disgraced DigiNotar certs

iPhone and iPad users still wide open

The Power of One eBook: Top reasons to choose HP BladeSystem

Apple has finally purged the imprimatur of disgraced web authentication authority DigiNotar from its Mac operating system.

In an update released Friday, Apple removed multiple DigiNotar root certificates from the Lion and Snow Leopard versions of Mac OS X. The move came nine days after the discovery that the Netherlands-based authority issued a counterfeit SSL certificate for Google.com that was used to spy on people in Iran. An investigation later revealed that DigiNotar had failed to warn browser makers that it issued at least 531 bogus credentials following a security breach that gave attackers free rein over its certificate issuance system for weeks.

Within hours of the discovery, Google and Mozilla issued updates that caused their browsers and email programs to reject most SSL certificates issued by DigiNotar. Users of Windows Vista and later versions of the Microsoft operating system were also protected, although it wasn't until earlier this week that Windows XP users received the same defense.

Apple's delayed response comes in sharp contrast. Not only has it taken longer to issue the update, but it didn't utter a peep of warning to its users in the intervening time. At time of writing, there were no updates available that purged the untrustworthy DigiNotar root certificates from iOS, meaning iPhone and iPad users are still vulnerable to fraudulent DigiNotar certificates.

Users of Google's Android OS for smartphones also remain wide open.

The threats Apple and Google have failed to protect their users against are by no means theoretical. At least one of the certificates has already been encountered by at least 300,000 people, mostly in Iran, as they accessed Gmail or other protected Google services. Trend Micro has more details about the certificate here. ®

Designing a Defense for Mobile Applications

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.