Skip to content

September 10, 2011

Security Update 2011-005 Fixes DigiNotar SSL Vulnerability

Apple has finally issued Security Update 2011-005 to address the recent issues around compromised Dutch certificate authority DigiNotar. It was discovered that at least 531 fraudulent SSL certificates were issued by DigiNotar, leading to their root certificate being revoked in all major operating systems and browsers over the past two weeks. A man-in-the-middle attacker in possession of one of these certs (eg. Google, Skype), would be able to intercept SSL-encrypted traffic to those sites. It is believed that the use of these fraudulent certs may have been limited to the Iranian government.

This patch removes the DigiNotar CA from the trusted root certificates in the Mac OS X keychain (which is also used by Safari) for Lion and Snow Leopard. Unfortunately no patch has been issued for Leopard (10.5) users, leaving them at a heightened risk from these bad certificates. It is recommended that Leopard users delete the DigiNotar CA certificate from the Keychain using the following steps:

  1. Open Keychain Access (/Applications/Utilities/Keychain Access)
  2. Click on the System Roots keychain in the top-left hand panel
  3. Click on Certificates in the bottom-left hand panel
  4. Type DigiNotar into the search field in the top right.
  5. Right-click on the DigiNotar Root CA, and select Delete.
For sysadmins, the following Terminal command achieves the same thing:
# sudo /usr/bin/security delete-certificate -Z C060ED44CBD881BD0EF86C0BA287DDCF8167478C /System/Library/Keychains/SystemRootCertificates.keychain

Firefox users should update to the latest version of Firefox. Here is the full Apple description for this update:

Security Update 2011-005

  • Certificate Trust Policy Available for: Mac OS X v10.6.8, Mac OS X Server v10.6.8, OS X Lion v10.7.1, Lion Server v10.7.1Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information

    Description: Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar’s certificates, including those issued by other authorities, are not trusted.

Share your thoughts, post a comment.


Note: HTML is allowed. Your email address will never be published.

Subscribe to comments