DigiNotar Certificates Threat Averted by Vendors

Trust problems were caused when DigiNotar, a Dutch certificate authority, released fraudulent SSL certificates two weeks ago. All major operating system (OS) vendors and browser developers have since released updates revoking the DigiNotar certificate.

Mozilla has released Firefox 3.6.22 and Firefox 6.0.2 to address this issue. Additional information can be found in the Mozilla Security Blog.

Microsoft has removed the DigiNotar root certificates from the Microsoft Certificate Trust List. This change affects all versions of Windows Vista, Windows 7, Windows XP, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2003. Additional information can be found in Microsoft Security Advisory 2607712.

Google Chrome users are protected from this attack due to Chrome’s built-in certificate pinning feature. Google has also released Chrome 13.0.782.220 for Windows, Mac, Linux, and Chrome Frame to address this issue. Additional information can be found in the Google Security Blog and in the Google Chrome Releases blog entry.

Apple has released Security Update 2011-005 for Mac OS X 10.6.8, Mac OS X Server 10.6.8, OS X Lion 10.7.1, and Lion Server 10.7.1 to address this issue.

Adobe will be releasing an update to remove the DigiNotar certificate from the Adobe Approved Trust List.  In the meantime, Adobe has released a blog entry containing a work-around for Adobe Reader and Acrobat 9, and Adobe Reader and Acrobat X.


About MIT
IT Security Awareness Consultant and Communications Specialist at MIT

Comments are closed.

%d bloggers like this: