Marketing and Upgrades

Jonny Evans has made some interesting points at Computer World regarding Apple's belated removal of DigiNotar root certificates from OS X (specifically Lion and Snow Leopard). Clearly, this restricts mitigation not only to users of the latest versions of the OS, but to Intel-driven hardware: Leopard was the last version of OS X to run on PPCs.

Let's take a personal diversion. I have an aging iBook in my office, long past the end of its rope as far as any commercial software is concerned. (No, that isn't my only Mac!) I basically keep it around for reasons of nostalgia, it still contains the original versions of a couple of my books, and  I hate to throw it a machine that still works most of the time just because it runs antique apps and Mac OS 9.2. (It did run early OS X for a while, but it wasn't benefiting much from the upgrade.) I don't care that there is no recent patches, no modern browser, and no modern security software that runs on it, because it hardly ever talks to the outside world, and I'm all too familiar with the problems that accompany trying to stay backward compatible forever on wildly obsolete systems. 

But if I still had a relatively recent MacBook still running Leopard, or the eMac I bought in 2006 for some lab work now long finished, I might be less forgiving, at any rate in this instance.These are, after all, certificates, not a development-intensive OS patch, though implementation has probably been hampered by a long-standing bug in EV-SSL handling.

Evans interprets this as "attempting to use the existence of security threats as part of the motivation to force customers to upgrade." Well, that may be cynical, if true, but it wouldn't be unique. Consider, for instance, the annoyingly frequent prompts that XP users may receive to upgrade to IE 9, which they can't do without upgrading their OS as well. Given, though, that we're still waiting for an upgrade to cover mobile Safari (not to mention Android browsing: this isn't just Apple!), maybe it's just a work in progress, and will be extended a little further back down the development timeline.

In fact, though there have been many reports assuming that the Extended Validation bug mentioned above is fixed by security update 2011-005, that update simply states that DigiNotar has been removed "from the list of trusted root certificates, from the list of  ... (EV) certificate authorities, and by configuring default  trust settings so that DigiNotar's certificates ... are not trusted." That doesn't read to me as if the underlying EV handling has been fixed, but maybe they just didn't see fit to mention it. If it wasn't fully fixed, though, I find it hard to believe that it's not in process. I certainly can't believe Apple and other vendors who haven't updated on mobile devices don't think untrustworthy certs can't be a problem in the mobile market. 

In the meantime (though I haven't tried it out personally) there is a 3rd-party fix that apparently works with Leopard on PPC: http://ps-enable.com/articles/diginotar-revoke-trust. My iBook, however, will continue to maintain a posture of splendid isolation...

What’s Hot on Infosecurity Magazine?