Apple releases Mac OS X Security Update 2011-005 to stop certificate fraud
Apple on Friday issued a security update for Mac OS X 10.7 Lion and 10.6 Snow Leopard, addressing a security issue related to fraudulent online certificates.
Security Update 2011-005 is available to download via Software Update, or as a 15.59MB download for Lion, or 869KB download for Snow Leopard direct from Apple. It is recommended for all Mac users.
The update addresses an issue that could allow an attacker with a privileged network position to intercept user credentials or other sensitive information.
Apple issued the update because fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. Apple's fix removes DigiNotar from the list of trusted root certificates and from the list of Extended Validation (EV) certificate authorities.
The security update also configures the default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not viewed as trusted.
Another update was also issued by Apple on Thursday for Lexmark printers in the form of Lexmark 2.6 Printer Driver. It includes the latest Lexmark printing and scanning software for both Lion and Snow Leopard, and the 133.99MB update can be downloaded direct from Apple.
Security Update 2011-005 is available to download via Software Update, or as a 15.59MB download for Lion, or 869KB download for Snow Leopard direct from Apple. It is recommended for all Mac users.
The update addresses an issue that could allow an attacker with a privileged network position to intercept user credentials or other sensitive information.
Apple issued the update because fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. Apple's fix removes DigiNotar from the list of trusted root certificates and from the list of Extended Validation (EV) certificate authorities.
The security update also configures the default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not viewed as trusted.
Another update was also issued by Apple on Thursday for Lexmark printers in the form of Lexmark 2.6 Printer Driver. It includes the latest Lexmark printing and scanning software for both Lion and Snow Leopard, and the 133.99MB update can be downloaded direct from Apple.
Comments
New signature.
Not unless it can be used without a data plan, it won't.
Where is the update for iOS?
Are OS X Security Updates ever included in iOS ever?
Are OS X Security Updates ever included in iOS ever?
Well since iOS is likely vulnerable, shouldn't there be an update for iOS as well?
Well since iOS is likely vulnerable, shouldn't there be an update for iOS as well?
Possibly, though we likely won't see any change until iOS 5's release.
Possibly, though we likely won't see any change until iOS 5's release.
Not good enough.
Not good enough.
There's nothing you can do about it.
Do you know of a single instance where this was exploited? Apple's security updates come before anything happens at least 90% of the time. The only exploits I've ever seen actually exploited were MacDEFENDER and MacWhatevertheotheronewas.
There's nothing you can do about it.
Do you know of a single instance where this was exploited? Apple's security updates come before anything happens at least 90% of the time. The only exploits I've ever seen actually exploited were MacDEFENDER and MacWhatevertheotheronewas.
This is social engineering at it's best. Shouting down anyone when they raise a concern to make it appear that Apple's devices are immune to all threats. IOS needs to be fixed. If release 5.0 is around the corner, are we sure that it contains this fix? They might be in a code-freeze for defect fixing.
This is social engineering at it's best. Shouting down anyone when they raise a concern to make it appear that Apple's devices are immune to all threats. IOS needs to be fixed. If release 5.0 is around the corner, are we sure that it contains this fix? They might be in a code-freeze for defect fixing.
Not necessarily. How do you know that the same vulnerability fixed by this OS X update even exists in iOS?
Not necessarily. How do you know that the same vulnerability fixed by this OS X update even exists in iOS?
Use the iPhone configuration utility to see that the root certs for diginotar are there AND cannot be altered unlike Mac OS X.
that was faaast...
Not really but OK.
There's nothing you can do about it.
Do you know of a single instance where this was exploited? Apple's security updates come before anything happens at least 90% of the time. The only exploits I've ever seen actually exploited were MacDEFENDER and MacWhatevertheotheronewas.
Its a man in the middle attack and it has happened. Just because you have not seen it doesn't mean its never been successfully executed.
Its a man in the middle attack and it has happened. Just because you have not seen it doesn't mean its never been successfully executed.
The sickening thing about man in the middle attacks is that you will never know it happened unless the software is smart enough. The reason chrome caught it is because of it's strong security feature. The irony is that you bend over backwards with Chrome and expose all your personal browsing habits and history to Google, but at least it prevents others from snooping on you. \
Chromium 13: built-in certificate pinning and HSTS
We?re experimenting with ways to improve the security of HTTPS. One of the sites we?re collaborating with to try new security measures is Gmail.
As of Chromium 13, all connections to Gmail will be over HTTPS. This includes the initial navigation even if the user types ?gmail.com? or ?mail.google.com? into the URL bar without an https:// prefix, which defends against sslstrip-type attacks.
The same HSTS technology also prevents users from clicking through SSL warnings for things such as a self-signed certificate. These attacks have been seen in the wild, and users have been known to fall for such attacks. Now there?s a mechanism to prevent them from doing so on sensitive domains.
In addition in Chromium 13, only a very small subset of CAs have the authority to vouch for Gmail (and the Google Accounts login page). This can protect against recent incidents where a CA has its authority abused, and generally protects against the proliferation of signing authority.
http://blog.chromium.org/2011/06/new...ures-june.html
any change in lion snappiness? any issues with update?
It's 188 kilobytes. If something breaks after installing something that small, something was broken to begin with.