From Heise Security:
Browser makers update their DigiNotar disaster updates:
As more details of the damage from the DigiNotar CA compromise are revealed, browser makers are now releasing second updates to their products to remove more untrustworthy certificates. Mobile device users and Mac OS X users are less well served.
Microsoft has updated security advisory 2607712 and announced that it has added the root certificates for DigiNotar Root CA and the DigiNotar PKIoverheid to its Untrusted Certificate Store. The update should appear automatically on most Windows systems but Microsoft has also made immediate download links for the update available for all Windows systems from Windows XP to Windows 7 and Windows 2008. The automatic update is not being performed in the Netherlands at this time at the request of the Dutch government.
Mozilla has released updates for Firefox browser, 6.0.2 and 3.6.22, and the Thunderbird email client, 6.0.2, 7.0 beta and 3.1.14 ; these new updates remove all trust from the DigiNotar CA. Firefox 3.6 and Thunderbird 3.1 users are encouraged to select "Check for Updates" from the Help menu to get the update; other users should see the update arrive automatically in the next 24 hours.
Mobile users and Mac users are less well served. There has been no news of updates for Apple's iOS or Google's Android, meaning the mobile devices that run those operating systems are still vulnerable to man-in-the-middle attacks using the bogus certificates. When Apple do move to release an update though, it should be widely available. Android users will have to wait for each device vendor to release updates for their phones, or move to a custom ROM such as CyanogenMod; a fix is in the process of being implemented for the popular third party ROM. Mac OS X users are also waiting for a security update; despite instructions on how to distrust DigiNotar certificates on the Mac being available, Apple have, so far, remained silent about releasing an automated update.
http://www.h-online.com/security/news/item/Browser-makers-update-their-DigiNotar-disaster-updates-1338144.html
Related: Firefox 6.0.2 fixes yet more DigiNotar certificate fallout
___________________
On-going details will be posted in the following (stickie) thread at the Spyware, Viruses & Security Forum:
Microsoft Security Advisory (2607712)
Both browsers have updates available after the discovery
of a fraudulent DigiNotar SSL certificate being used in Iran as part of a man-in-the-middle attack, Mozilla has now released versions of Firefox 6.0.1, Firefox 3.6.21 and Thunderbird 6.0.1, and Google has released Chrome 13.0.782.218. The updates disable or delete entries for DigiNotar's Certificate Authority. Google also took the opportunity to update the Adobe Flash Player in Chrome and also updated development versions of Chrome.
The impact of the removal of the DigiNotar Root certificate, beyond that of blocking the one (or more) bogus certificates, is unclear, though it may have an impact on users in the Netherlands where DigiNotar operates. For example, the government's DigiD identity management platform uses SSL certificates issued by DigiNotar.
Users will see the updates for Firefox within 24 to 48 hours. Firefox 3.6.x users who wish to install the update manually can download it from the "Older Firefox" page. At the time of writing, according to Mozilla's advisory page, updates for the Aurora and Nightly builds of Firefox have been updated as well, but not the Firefox 7 beta; Thunderbird 7 beta and Firefox for Mobile will be updated soon. Users can also manually check.
Chrome users should see their updates appear automatically, but can also manually update the browser.
Update: Mozilla has also released version 3.1.13 of Thunderbird to revoke the root certificate for DigiNotar.
http://www.h-online.com/security/news/item/Updated-Chrome-and-Firefox-for-fraudulent-Google-certificate-available-1333898.html
Related:
Falsely issued Google SSL certificate in the wild for more then 5 weeks
Rogue Google SSL certificate missed by auditors
Thanks to Carol for providing this information, and for doing all the hard work!
Carol's post about this in the Spyware, viruses and security forum can be found here;
NEWS - August 31, 2011: Updated Chrome and Firefox for fraudulent Google certificate available
And there is further information in that thread.
Mark
Chowhound
Comic Vine
GameFAQs
GameSpot
Giant Bomb
TechRepublic