Apple has issued a security update for Snow Leopard and Lion to revoke trust in certificates from DigiNotar.
Following last week's compromise of the Dutch certificate authority (CA), internet giants such as Google, Microsoft and Mozilla revoked trust in DigiNotar's certificates, and Apple has now joined in with the action.
The update, labelled ‘Security Update 2011-05', modifies the default trust system configuration so that DigiNotar certificates are not trusted.
In a statement, Apple said: “Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.”
According to Chester Wisniewski, senior security adviser at Sophos Canada, the Apple update is available for users of Snow Leopard (10.6) and Lion (10.7), but mysteriously is not offered to users of Leopard or earlier versions.
“This is an opportunity for Apple to get ahead of the competition,” he said. “Apple users should apply this update as soon as they can, and hope that the other CAs that the hacker is claiming to have hacked won't end up in a similar situation to DigiNotar.”
The Apple update does not cover iOS devices such as the iPhone and iPad.