Apple has released an update to address compromised certificates from DigiNotar, more than a week after news of the attack first broke.
Apple is the last of the major browser vendors to bounce DigiNotar from its list of trusted root certificates, while Microsoft, Google and Mozilla had already made moves to address the potential threat. The Apple update affects Mac OS X and OS X Server versions 10.6.8 and Lion and Lion Server versions 10.7.1.
“Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar,” Apple wrote in the advisory. “This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.”
Up until now, Apple has remained quiet on the issue of the certificates, prompting criticism from many in the security community.
“Déjà vu – Remembering the Comodo issue, Apple was nearly a month behind other browser vendors in providing a patch to address the issue for their customers,” Lumension security and forensic analyst Paul Henry complained in Sept. 6 blog post.
For Apple’s part, it has a policy not to disclose, discuss or confirm security issues until a full investigation has finished and any necessary patches or releases are available.
In addition to moves by the major browser vendors, Adobe said it will release an update to remove the DigiNotar Qualified CA from the Adobe Approved Trust List (AATL) Sept. 13 for Adobe Reader and Acrobat X. The update was delayed at the explicit request of the Dutch government, while they explore the implications of this action and prepare their systems for the change.
