Apple releases Mac OS X Security Update 2011-005 to stop certificate fraud

Posted:
in macOS edited January 2014
Apple on Friday issued a security update for Mac OS X 10.7 Lion and 10.6 Snow Leopard, addressing a security issue related to fraudulent online certificates.



Security Update 2011-005 is available to download via Software Update, or as a 15.59MB download for Lion, or 869KB download for Snow Leopard direct from Apple. It is recommended for all Mac users.



The update addresses an issue that could allow an attacker with a privileged network position to intercept user credentials or other sensitive information.



Apple issued the update because fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. Apple's fix removes DigiNotar from the list of trusted root certificates and from the list of Extended Validation (EV) certificate authorities.



The security update also configures the default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not viewed as trusted.



Another update was also issued by Apple on Thursday for Lexmark printers in the form of Lexmark 2.6 Printer Driver. It includes the latest Lexmark printing and scanning software for both Lion and Snow Leopard, and the 133.99MB update can be downloaded direct from Apple.
«1

Comments

  • Reply 1 of 23
    29922992 Posts: 202member
    that was faaast...
  • Reply 2 of 23
    irelandireland Posts: 17,798member
    New signature.
  • Reply 3 of 23
    Quote:
    Originally Posted by Ireland View Post


    New signature.



    Not unless it can be used without a data plan, it won't.
  • Reply 4 of 23
    That's the size that showed up on Software update, for Lion. I have a 15" 2011 MacBook Pro.
  • Reply 5 of 23
    188KB download on a 2009 Gainestown Mac Pro, too.
  • Reply 6 of 23
    Where is the update for iOS?
  • Reply 7 of 23
    Quote:
    Originally Posted by neiltc13 View Post


    Where is the update for iOS?



    Are OS X Security Updates ever included in iOS ever?
  • Reply 8 of 23
    Glad to see the Lexmark drivers have been updated. Hope Canon drivers get updated soon too. Not being able to print from certain applications (Preview and TextEdit) is really annoying.
  • Reply 9 of 23
    Quote:
    Originally Posted by Tallest Skil View Post


    Are OS X Security Updates ever included in iOS ever?



    Well since iOS is likely vulnerable, shouldn't there be an update for iOS as well?
  • Reply 10 of 23
    Quote:
    Originally Posted by neiltc13 View Post


    Well since iOS is likely vulnerable, shouldn't there be an update for iOS as well?



    Possibly, though we likely won't see any change until iOS 5's release.
  • Reply 11 of 23
    Quote:
    Originally Posted by Tallest Skil View Post


    Possibly, though we likely won't see any change until iOS 5's release.



    Not good enough.
  • Reply 12 of 23
    Quote:
    Originally Posted by neiltc13 View Post


    Not good enough.



    There's nothing you can do about it.



    Do you know of a single instance where this was exploited? Apple's security updates come before anything happens at least 90% of the time. The only exploits I've ever seen actually exploited were MacDEFENDER and MacWhatevertheotheronewas.
  • Reply 13 of 23
    Quote:
    Originally Posted by Tallest Skil View Post


    There's nothing you can do about it.



    Do you know of a single instance where this was exploited? Apple's security updates come before anything happens at least 90% of the time. The only exploits I've ever seen actually exploited were MacDEFENDER and MacWhatevertheotheronewas.



    This is social engineering at it's best. Shouting down anyone when they raise a concern to make it appear that Apple's devices are immune to all threats. IOS needs to be fixed. If release 5.0 is around the corner, are we sure that it contains this fix? They might be in a code-freeze for defect fixing.
  • Reply 14 of 23
    Quote:
    Originally Posted by talksense101 View Post


    This is social engineering at it's best. Shouting down anyone when they raise a concern to make it appear that Apple's devices are immune to all threats. IOS needs to be fixed. If release 5.0 is around the corner, are we sure that it contains this fix? They might be in a code-freeze for defect fixing.



    Not necessarily. How do you know that the same vulnerability fixed by this OS X update even exists in iOS?
  • Reply 15 of 23
    Quote:
    Originally Posted by F1Ferrari View Post


    Not necessarily. How do you know that the same vulnerability fixed by this OS X update even exists in iOS?



    Use the iPhone configuration utility to see that the root certs for diginotar are there AND cannot be altered unlike Mac OS X.
  • Reply 16 of 23
    Quote:
    Originally Posted by 2992 View Post


    that was faaast...



    Not really but OK.
  • Reply 17 of 23
    Quote:
    Originally Posted by Tallest Skil View Post


    There's nothing you can do about it.



    Do you know of a single instance where this was exploited? Apple's security updates come before anything happens at least 90% of the time. The only exploits I've ever seen actually exploited were MacDEFENDER and MacWhatevertheotheronewas.



    Its a man in the middle attack and it has happened. Just because you have not seen it doesn't mean its never been successfully executed.
  • Reply 18 of 23
    Quote:
    Originally Posted by PBRSTREETG View Post


    Its a man in the middle attack and it has happened. Just because you have not seen it doesn't mean its never been successfully executed.



    The sickening thing about man in the middle attacks is that you will never know it happened unless the software is smart enough. The reason chrome caught it is because of it's strong security feature. The irony is that you bend over backwards with Chrome and expose all your personal browsing habits and history to Google, but at least it prevents others from snooping on you. \



    Quote:

    Chromium 13: built-in certificate pinning and HSTS

    We?re experimenting with ways to improve the security of HTTPS. One of the sites we?re collaborating with to try new security measures is Gmail.



    As of Chromium 13, all connections to Gmail will be over HTTPS. This includes the initial navigation even if the user types ?gmail.com? or ?mail.google.com? into the URL bar without an https:// prefix, which defends against sslstrip-type attacks.



    The same HSTS technology also prevents users from clicking through SSL warnings for things such as a self-signed certificate. These attacks have been seen in the wild, and users have been known to fall for such attacks. Now there?s a mechanism to prevent them from doing so on sensitive domains.



    In addition in Chromium 13, only a very small subset of CAs have the authority to vouch for Gmail (and the Google Accounts login page). This can protect against recent incidents where a CA has its authority abused, and generally protects against the proliferation of signing authority.



    http://blog.chromium.org/2011/06/new...ures-june.html




  • Reply 19 of 23
    gdoggdog Posts: 224member
    any change in lion snappiness? any issues with update?
  • Reply 20 of 23
    Quote:
    Originally Posted by gdog View Post


    any change in lion snappiness? any issues with update?



    It's 188 kilobytes. If something breaks after installing something that small, something was broken to begin with.
Sign In or Register to comment.