Slightly less than two weeks after the first public signs of DigiNotar being compromised, Apple has revoked their certificates.
The Apple update is available for users of Snow Leopard (10.6) and Lion (10.7), but mysteriously not offered to users of Leopard or earlier versions.
After applying the update Mac users should no longer see DigiNotar as a trusted root certificate in the Keychain Access application.
You can check for updates by clicking the Apple logo in the upper-left corner of the screen and choosing Software Update.
If you are running an older Mac you can still protect yourself, but you will need to do it manually. You can follow the excellent instructions posted over at the ps | Enable blog.
Apple (along with Microsoft, Google and RIM) have not released any updates for their mobile platforms.
This is an opportunity for Apple to get ahead of the competition.
It is much easier for Apple to patch iDevices then Google to fix Androids, get the handset makers to apply the fixes and then convince the carriers to deploy the updates.
Apple users should apply this update as soon as they can and hope that the other CAs the hacker is claiming he hacked won’t end up in a similar situation to DigiNotar.
4 comments on “Apple releases update to remove DigiNotar from trusted list”
Even if you have 10.7.1 of Lion, you should check for update. You need Security Update 2011-005. After applying Security Update 2011-005 your "About This Mac" will still indicate that you have 10.7.1 of Lion.
Actually, 10.6.8 and 10.7.1 were already the current versions of the OS. The patch is called Security Update 2011-005, and it’s *available for* the previously-released versions of Snow Leopard and Lion, 10.6.8 and 10.7.1. The OS version numbers remain same after applying this security update.
The reason why Apple didn't patch Leopard (10.5.x) is that Apple only supports the most recent (in this case, Lion, 10.7.x) and one previous (Snow Leopard, 10.6.x) major release of the operating system with security updates.
Based on Apple's track record, Leopard will still get minor updates for Safari and QuickTime (security updates, not feature updates) and probably iTunes updates for some period of time, but no security patches for the main operating system.
Basically, this means that everyone still using a PowerPC (G4 or G5) processor, which maxes out at Leopard, can no longer receive security updates. So if you bought a PowerPC-based Mac around 5 or 6 years ago, you're totally out of luck. Of course, Adobe stopped releasing Flash updates for PowerPC earlier this year, so you were already out of luck on that front anyway.
I just finished writing a very detailed article about this here: http://security.thejoshmeister.com/2011/09/apple-…
I’ve been a Mac user since 1986, so my fondness for the platform is well established. But Apple’s increasingly restrictive hardware requirements for its software “upgrades” are a real point of contention for me. Even the Intel Core Duo machines are locked out of Lion. Whether the obsolescence now being experienced by Mac users is “planned” or not, it’s real, and it forces users to upgrade their hardware, whether they need to or not.
I suspect that this is partly a consequence of the Mac platform’s expanding market, wherein a growing number of Mac users are folks who previously used Windows. Many of them are already accustomed to much shorter hardware life cycles (1 to 3 years) than Mac users have historically enjoyed (3 to 5 years). Obviously Apple knows this, and is taking advantage of that shift toward lower expectations among its user base.
Of course, Apple isn’t the only software developer who won’t support PowerPC hardware. Browsers, mail apps, and a host of other software applications have dropped PPC support. I could still do most of the things I need to do on my trusty old G5, but without security support, there’s no recourse. Alas, the G5 now sits here collecting dust —a perfectly good machine, forced out of use by lack of software support for security issues.