DigiNotar certificate fraud addressed with Snow Leopard and Lion updates

Apple has issued a security update for both OS X 10.6 and 10.7 that addresses concerns over recent fraudulent certificates from the DigiNotar certificate authority.

Topher Kessler MacFixIt Editor
Topher, an avid Mac user for the past 15 years, has been a contributing author to MacFixIt since the spring of 2008. One of his passions is troubleshooting Mac problems and making the best use of Macs and Apple hardware at home and in the workplace.
Topher Kessler
2 min read

Apple has released a security update for OS X 10.6 Snow Leopard and OS X 10.7 Lion that addresses an issue in which the use of fraudulent certificates could allow an attacker to steal user credentials and other private information through a network connection. The problem revolved around the use of DigiNotar as a trusted certificate authority, which has been removed by this update.

Certificates are a method of identifying a computer system or a user automatically without the need for an account and password. A certificate is generated by an authority and contains a key for encrypting or decrypting a connection with a specific server, in addition to user identification information such as names, addresses, and company affiliations. In essence, it is a personalized ticket for accessing a remote server.

Keychain Access
Before this update, DigiNotar Root Certificates needed to be removed manually from the system using Keychain Access (click for larger view).

Certificates can be generated by any source, but for safety there are a number of certificate authorities that are trusted sources for certificates, which computer manufacturers like Apple build into their systems. In this case, the automatic acceptance of certificates signed by the authority DigiNotar was the root of the security problem. In recent months the company suffered a hacking attack which resulted in hundreds of certificates issued for various Web companies (including Google, Yahoo, Mozilla) to unknown recipients in foreign countries, and these certificates were subsequently used in various attacks on the Web companies' services.

Before this update, OS X users would have to manually remove DigiNotar certificates from their keychains, but this update now keeps the certificates from being automatically used.

The update can be installed through Software Update, or from the following download links:

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.