DigiNotar certificate fraud addressed with Snow Leopard and Lion updates

Apple has released a security update for OS X 10.6 Snow Leopard and OS X 10.7 Lion that addresses an issue in which the use of fraudulent certificates could allow an attacker to steal user credentials and other private information through a network connection. The problem revolved around the use of DigiNotar as a trusted certificate authority, which has been removed by this update.

Certificates are a method of identifying a computer system or a user automatically without the need for an account and password. A certificate is generated by an authority and contains a key for encrypting or decrypting a connection with a specific server, in addition to user identification information such as names, addresses, and company affiliations. In essence, it is a personalized ticket for accessing a remote server.

Certificates can be generated by any source, but for safety there are a number of certificate authorities that are trusted sources for certificates, which computer manufacturers like Apple build into their systems. In this case, the automatic acceptance of certificates signed by the authority DigiNotar was the root of the security problem. In recent months the company suffered a hacking attack which resulted in hundreds of certificates issued for various Web companies (including Google, Yahoo, Mozilla) to unknown recipients in foreign countries, and these certificates were subsequently used in various attacks on the Web companies' services.

Before this update, OS X users would have to manually remove DigiNotar certificates from their keychains, but this update now keeps the certificates from being automatically used.

The update can be installed through Software Update, or from the following download links:

• Security Update 2011-005 (Snow Leopard)

• Security Update 2011-005 (Lion)

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.