or Connect
AppleInsider › Forums › Software › Mac OS X › Apple releases Mac OS X Security Update 2011-005 to stop certificate fraud
New Posts  All Forums:Forum Nav:

Apple releases Mac OS X Security Update 2011-005 to stop certificate fraud

post #1 of 24
Thread Starter 
Apple on Friday issued a security update for Mac OS X 10.7 Lion and 10.6 Snow Leopard, addressing a security issue related to fraudulent online certificates.

Security Update 2011-005 is available to download via Software Update, or as a 15.59MB download for Lion, or 869KB download for Snow Leopard direct from Apple. It is recommended for all Mac users.

The update addresses an issue that could allow an attacker with a privileged network position to intercept user credentials or other sensitive information.

Apple issued the update because fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. Apple's fix removes DigiNotar from the list of trusted root certificates and from the list of Extended Validation (EV) certificate authorities.

The security update also configures the default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not viewed as trusted.

Another update was also issued by Apple on Thursday for Lexmark printers in the form of Lexmark 2.6 Printer Driver. It includes the latest Lexmark printing and scanning software for both Lion and Snow Leopard, and the 133.99MB update can be downloaded direct from Apple.
post #2 of 24
that was faaast...
sent from my... internet browser of choice.
Reply
sent from my... internet browser of choice.
Reply
post #3 of 24
New signature.
Citing unnamed sources with limited but direct knowledge of the rumoured device - Comedy Insider (Feb 2014)
Reply
Citing unnamed sources with limited but direct knowledge of the rumoured device - Comedy Insider (Feb 2014)
Reply
post #4 of 24
Quote:
Originally Posted by Ireland View Post

New signature.

Not unless it can be used without a data plan, it won't.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #5 of 24
That's the size that showed up on Software update, for Lion. I have a 15" 2011 MacBook Pro.
post #6 of 24
188KB download on a 2009 Gainestown Mac Pro, too.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #7 of 24
Where is the update for iOS?
post #8 of 24
Quote:
Originally Posted by neiltc13 View Post

Where is the update for iOS?

Are OS X Security Updates ever included in iOS ever?

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #9 of 24
Glad to see the Lexmark drivers have been updated. Hope Canon drivers get updated soon too. Not being able to print from certain applications (Preview and TextEdit) is really annoying.
"In a perfect world humans would co-exist harmoniously like a rainbow. A multitude of colors. Each layer vibrant and clear and alone, but in unison breathtaking."
Reply
"In a perfect world humans would co-exist harmoniously like a rainbow. A multitude of colors. Each layer vibrant and clear and alone, but in unison breathtaking."
Reply
post #10 of 24
Quote:
Originally Posted by Tallest Skil View Post

Are OS X Security Updates ever included in iOS ever?

Well since iOS is likely vulnerable, shouldn't there be an update for iOS as well?
post #11 of 24
Quote:
Originally Posted by neiltc13 View Post

Well since iOS is likely vulnerable, shouldn't there be an update for iOS as well?

Possibly, though we likely won't see any change until iOS 5's release.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #12 of 24
Quote:
Originally Posted by Tallest Skil View Post

Possibly, though we likely won't see any change until iOS 5's release.

Not good enough.
post #13 of 24
Quote:
Originally Posted by neiltc13 View Post

Not good enough.

There's nothing you can do about it.

Do you know of a single instance where this was exploited? Apple's security updates come before anything happens at least 90% of the time. The only exploits I've ever seen actually exploited were MacDEFENDER and MacWhatevertheotheronewas.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #14 of 24
Quote:
Originally Posted by Tallest Skil View Post

There's nothing you can do about it.

Do you know of a single instance where this was exploited? Apple's security updates come before anything happens at least 90% of the time. The only exploits I've ever seen actually exploited were MacDEFENDER and MacWhatevertheotheronewas.

This is social engineering at it's best. Shouting down anyone when they raise a concern to make it appear that Apple's devices are immune to all threats. IOS needs to be fixed. If release 5.0 is around the corner, are we sure that it contains this fix? They might be in a code-freeze for defect fixing.
Most of us employ the Internet not to seek the best information, but rather to select information that confirms our prejudices. - Nicholas D. Kristof
Reply
Most of us employ the Internet not to seek the best information, but rather to select information that confirms our prejudices. - Nicholas D. Kristof
Reply
post #15 of 24
Quote:
Originally Posted by talksense101 View Post

This is social engineering at it's best. Shouting down anyone when they raise a concern to make it appear that Apple's devices are immune to all threats. IOS needs to be fixed. If release 5.0 is around the corner, are we sure that it contains this fix? They might be in a code-freeze for defect fixing.

Not necessarily. How do you know that the same vulnerability fixed by this OS X update even exists in iOS?
post #16 of 24
Quote:
Originally Posted by F1Ferrari View Post

Not necessarily. How do you know that the same vulnerability fixed by this OS X update even exists in iOS?

Use the iPhone configuration utility to see that the root certs for diginotar are there AND cannot be altered unlike Mac OS X.
post #17 of 24
Quote:
Originally Posted by 2992 View Post

that was faaast...

Not really but OK.
post #18 of 24
Quote:
Originally Posted by Tallest Skil View Post

There's nothing you can do about it.

Do you know of a single instance where this was exploited? Apple's security updates come before anything happens at least 90% of the time. The only exploits I've ever seen actually exploited were MacDEFENDER and MacWhatevertheotheronewas.

Its a man in the middle attack and it has happened. Just because you have not seen it doesn't mean its never been successfully executed.
post #19 of 24
Quote:
Originally Posted by PBRSTREETG View Post

Its a man in the middle attack and it has happened. Just because you have not seen it doesn't mean its never been successfully executed.

The sickening thing about man in the middle attacks is that you will never know it happened unless the software is smart enough. The reason chrome caught it is because of it's strong security feature. The irony is that you bend over backwards with Chrome and expose all your personal browsing habits and history to Google, but at least it prevents others from snooping on you. \

Quote:
Chromium 13: built-in certificate pinning and HSTS
Were experimenting with ways to improve the security of HTTPS. One of the sites were collaborating with to try new security measures is Gmail.

As of Chromium 13, all connections to Gmail will be over HTTPS. This includes the initial navigation even if the user types gmail.com or mail.google.com into the URL bar without an https:// prefix, which defends against sslstrip-type attacks.

The same HSTS technology also prevents users from clicking through SSL warnings for things such as a self-signed certificate. These attacks have been seen in the wild, and users have been known to fall for such attacks. Now theres a mechanism to prevent them from doing so on sensitive domains.

In addition in Chromium 13, only a very small subset of CAs have the authority to vouch for Gmail (and the Google Accounts login page). This can protect against recent incidents where a CA has its authority abused, and generally protects against the proliferation of signing authority.

http://blog.chromium.org/2011/06/new...ures-june.html
Most of us employ the Internet not to seek the best information, but rather to select information that confirms our prejudices. - Nicholas D. Kristof
Reply
Most of us employ the Internet not to seek the best information, but rather to select information that confirms our prejudices. - Nicholas D. Kristof
Reply
post #20 of 24
any change in lion snappiness? any issues with update?
post #21 of 24
Quote:
Originally Posted by gdog View Post

any change in lion snappiness? any issues with update?

It's 188 kilobytes. If something breaks after installing something that small, something was broken to begin with.

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply

Originally posted by Marvin

Even if [the 5.5” iPhone exists], it doesn’t deserve to.
Reply
post #22 of 24
Quote:
Originally Posted by talksense101 View Post

The sickening thing about man in the middle attacks is that you will never know it happened unless the software is smart enough. The reason chrome caught it is because of it's strong security feature. The irony is that you bend over backwards with Chrome and expose all your personal browsing habits and history to Google, but at least it prevents others from snooping on you. \

In addition both Google and Firefox addressed the problem a couple of weeks ago, end of August. Use either of those browsers to avoid this particular problem.

http://forums.cnet.com/7726-6132_102-5195666.html
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #23 of 24
Quote:
Originally Posted by talksense101 View Post

The sickening thing about man in the middle attacks is that you will never know it happened unless the software is smart enough. The reason chrome caught it is because of it's strong security feature. The irony is that you bend over backwards with Chrome and expose all your personal browsing habits and history to Google, but at least it prevents others from snooping on you. \

Agree. Firefox until the update came out was a safe bet. Chrome is far more invasive than people think.
post #24 of 24
Quote:
Originally Posted by Tallest Skil View Post

Do you know of a single instance where this was exploited? Apple's security updates come before anything happens at least 90% of the time. The only exploits I've ever seen actually exploited were MacDEFENDER and MacWhatevertheotheronewas.

It is a big issue here in The Netherlands. The exploit is months old, DigiNotar kept quit after they found out. And many people got screwed as a result. The exploit is still a big issue, with misuse of social security numbers and such. I'd post links but all sites I'm reading are in Dutch. Of course you can search yourself for info if you're interested...

http://blogs.computerworld.com/18927...ck_effectively

From the article:
"ComodoHacker took ten days to get inside DigiNotar's servers. Once inside, he created 531 fake certificates, for sites including Google, Facebook and Skype, as well as the CIA, MI6 and Mossad. These certificates could be used to spoof websites in order to grab personal information, or even to read email on Gmail servers.

After what some see as an unusually lengthy two week wait, Apple last Friday finally shipped a software update to block Safari users from reaching sites secured with DigiNotar certificates. Despite Apple's recent moves to improve its security teams, that delay was too lengthy, some say."
"Fibonacci: As easy as 1, 1, 2, 3..."
Reply
"Fibonacci: As easy as 1, 1, 2, 3..."
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Mac OS X
AppleInsider › Forums › Software › Mac OS X › Apple releases Mac OS X Security Update 2011-005 to stop certificate fraud