Apple has issued an update for Mac OS X 10.7 Lion and 10.6 Snow Leopard systems that addresses the recent security breach involving DigiNotar's fake SSL certificates. The patch removes DigiNotar from the list of trusted root certificates, the list of Extended Validation certificate authorities and configures the default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted.
DigiNotar is one of several firms that are authorized to issue digital certificates used to verify the identity of a website. On August 30 the Dutch company announced that its servers had been compromised and that fake certificates might have leaked into the wild. It's been suggested that more than 500 fake certificates have been issued so far, including certificates for Microsoft, Facebook, Twitter, and Google. An attacker using a stolen certificate could potentially gain access to intercept a user's credentials and sensitive information.
Web browsers including Firefox, Chrome and Opera were quickly updated following the breach to revoke all certificates issued by DigiNotar. Windows users also received an update shortly thereafter but Apple had so far remained quiet. Meanwhile, neither Google nor Apple have made any announcements regarding a patch for their mobile platforms.
Security Update 2011-005 is available to download via Software Update or through Apple's support site. The smallish download (188Kb - 15Mb) requires a restart and is recommended for all Mac users.