Has Apple handled the DigiNotar attack effectively?

By Jonny Evans

Security researchers are once again slamming Apple [AAPL], this time for what they see as the firm's slow delivery of an essential security update to patch a problem caused by ComodoHacker's recent subversion of small digital security certification provider, DigiNotar.


We offer you protection

ComodoHacker took ten days to get inside DigiNotar's servers. Once inside, he created 531 fake certificates, for sites including Google, Facebook and Skype, as well as the CIA, MI6 and Mossad. These certificates could be used to spoof websites in order to grab personal information, or even to read email on Gmail servers.

After what some see as an unusually lengthy two week wait, Apple last Friday finally shipped a software update to block Safari users from reaching sites secured with DigiNotar certificates. Despite Apple's recent moves to improve its security teams, that delay was too lengthy, some say.

"We're looking at some very serious issues [about trust on the Web] and it doesn't help matters when Apple is dragging its feet," said Paul Henry, a security and forensics analyst with Arizona-based Lumension, as reported by Computerworld.

Apple was the last of the big software giants to deliver protection to its users. Others, including Microsoft, Mozilla and Opera, had already done so.

No love for Leopard

Regretfully, Apple hasn't offered complete security for its users: Snow Leopard and Lion are protected, but a security patch for Leopard (the last version of OS X to work on PowerPC systems) has, somewhat unkindly, not been made available.

If you're a Mac user on a Leopard system then it may be worth following these excellent instructions in order to manually protect yourself. Be warned: these manual protections don't provide complete protection.

Apple has also failed to update its existing mobile devices with an iOS update to protect against the potential security threat. Apple isn't unique in its failure to patch mobile devices -- nor have Google, Microsoft or RIM.

The mobile threat

Chester Wisniewski at the Sophos 'Naked Security' blog observes, "It is much easier for Apple to patch iDevices then Google to fix Androids, get the handset makers to apply the fixes and then convince the carriers to deploy the updates."

Wisniewski seems to argue that this lack of an update for mobile devices is a big loss to Apple: not only does this mean it has failed to be reflexive in terms of protecting customers now, but it has also lost a potential market advantage. Would it not be better for Apple to be able to promise iOS users best in class security, proven through a fast response to such threats?

Apple's foe, Google, was a major target in this hack, which was allegedly used to spy on Gmail communications in Iran. Google quickly advised all its users there to change their passwords and ensure their accounts had not been compromised.

"We found that Internet users in more than 40 different networks of ISPs and universities in Iran were met with rogue SSL certificates issued by DigiNotar. Even worse, we found evidence that some Iranians who used software designed to circumvent traffic censorship and snooping were not protected against the massive man-in-the-middle attack," wrote TrendMicro.

Trusting the machine

In a statement, Apple said: "Fraudulent certificates were issued by multiple certificate authorities operated by DigiNotar. This issue is addressed by removing DigiNotar from the list of trusted root certificates, from the list of Extended Validation (EV) certificate authorities, and by configuring default system trust settings so that DigiNotar's certificates, including those issued by other authorities, are not trusted."

Attacking Apple for its perceived lack of alacrity in delivering a security patch is perhaps unfair.

The original problem appeared to target Gmail users in Iran. At the high point of the attack, the provider witnessed a much larger percentage than normal of requests from Iran, which far outweighed those from any other country, with the exception of the Netherlands.

Trend Micro warns that while the certification authority was exposed a third party was: "probably able to read all of the email messages an Iranian Internet user sent with his/her Gmail account."

It is also possible over 300,000 Iranian Internet users may have seen their personal information stolen by spoof sites.

Talk to me

Apple won't comment on the way it has handled the security incident as a matter of policy, prompting Roel Schouwenberg, security researcher at Kaspersky, to call the firm "old-fashioned" in its approach.

I agree that the firm should perhaps have reached out to customers to explain its planned response once that problem was identified, but Apple has now acted to protect its users.

I do criticize Apple for failing to protect the many millions of active users who continue to use PowerPC-based Macs. These systems will not run Apple's Snow Leopard or Lion systems, and the company has not updated security for older OS installs.


The PowerPC problem

Surely it isn't beyond the remit of the world's most valuable technology company to work to protect those users who may not yet have made the leap to Intel?

I consider the lack of security protection for these legacy Mac users to be an extraordinarily cynical decision, as effectively it means the firm is attempting to use the existence of security threats as part of the motivation to force customers to upgrade.

I understand that these systems are now historical anachronisms, but would argue that the Intel transition makes for a special case, and provision of relatively simple security updates for the last Apple OS to run on these systems isn't a commitment that's likely to impact the company's cash in hand.

Given the severe economic and political instability currently felt across most of the planet, you can rest assured that many Mac users stuck on PowerPC devices would love to upgrade, but cannot afford to. Given the relative affordability of delivering security patches, I'd like to see Apple offer these customers such protection.

Please let me know what you think in comments below. Please follow me on Twitter so I can let you know when I post new reports here at Computerworld.   

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon