iPhone 14 Pro vs. Galaxy S22 Ultra HP Pavilion Plus Planet Crossword Pixel Watch Apple Watch Ultra AirPods Pro 2 iPhone 14 Pro Camera Best Android Phones
Want CNET to notify you of price drops and the latest stories?
No, thank you

DigiNotar certificate fraud addressed with Snow Leopard and Lion updates

Apple has issued a security update for both OS X 10.6 and 10.7 that addresses concerns over recent fraudulent certificates from the DigiNotar certificate authority.

Apple has released a security update for OS X 10.6 Snow Leopard and OS X 10.7 Lion that addresses an issue in which the use of fraudulent certificates could allow an attacker to steal user credentials and other private information through a network connection. The problem revolved around the use of DigiNotar as a trusted certificate authority, which has been removed by this update.

Certificates are a method of identifying a computer system or a user automatically without the need for an account and password. A certificate is generated by an authority and contains a key for encrypting or decrypting a connection with a specific server, in addition to user identification information such as names, addresses, and company affiliations. In essence, it is a personalized ticket for accessing a remote server.

Keychain Access
Before this update, DigiNotar Root Certificates needed to be removed manually from the system using Keychain Access (click for larger view).

Certificates can be generated by any source, but for safety there are a number of certificate authorities that are trusted sources for certificates, which computer manufacturers like Apple build into their systems. In this case, the automatic acceptance of certificates signed by the authority DigiNotar was the root of the security problem. In recent months the company suffered a hacking attack which resulted in hundreds of certificates issued for various Web companies (including Google, Yahoo, Mozilla) to unknown recipients in foreign countries, and these certificates were subsequently used in various attacks on the Web companies' services.

Before this update, OS X users would have to manually remove DigiNotar certificates from their keychains, but this update now keeps the certificates from being automatically used.

The update can be installed through Software Update, or from the following download links:

Questions? Comments? Have a fix? Post them below or e-mail us!
Be sure to check us out on Twitter and the CNET Mac forums.