Apple Addresses Fake DigiNotar Certificates for Snow Leopard, Lion

Apple released Security Update 2011-005 Friday, a security patch for Mac OS X (Snow Leopard) and OS X (Lion) that addresses an issue with fraudulent certificates issued recently by DigiNotar. Apple took the same approach as Microsoft by simply revoking the status of DigiNotar from the list of trusted root certificates.

Hackers recently compromised DigiNotar, an issuer of certificates used by websites to prove to your browser (and other Web-based software) that they are legit, and issued themselves at least 500 fake certificates. Those fakes would make it possible for the hackers to then make fake sites that represented themselves as a “trusted” site.

For instance, Google told Iranians to change their Gmail passwords on Friday after these same hackers used some of those fake certificates to launch “man-in-the-middle” attacks against some Iranian Gmail users.

This security patch is a must-install for Mac users as it eliminates the opportunity for your Mac to be taken in by one of these fake certificates. As such, you should install it ASAP.

Apple’s patch notes:

Security Update 2011-005
Certificate Trust Policy

Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.1, Lion Server v10.7.1

Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.

You can find the update in Software Update as a 188KB download for Lion. It should be similarly small for Snow Leopard users.