Apple Blacklists Rogue Comodo Certificates One Month After Breach

Apple has released security updates for its Mac OS X and iOS operating systems in order to block rogue digital certificates issued by Comodo over a month ago.

The new Security Update 2011-002 available for Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.7, and Mac OS X Server v10.6.7, only updates the hard-coded certificate blacklist.

"An attacker with a privileged network position may intercept user credentials or other sensitive information," Apple warns in its security advisory.

The same blacklist update is also included in the new iOS 4.3.2 and iOS 4.2.7 (for CDMA iPhone 4), however these releases also contain other security fixes.

Namely, iOS 4.3.2 addresses a remotely-exploitable vulnerability in the libxslt library which can be used to bypass the address space layout randomization (ASLR) protection.

Both iOS 4.3.2 and iOS 4.2.7 fix two arbitrary code execution flaws in the WebKit layout engine. One of these vulnerabilities, identified as CVE-2011-1290, was used by security researchers Vincenzo Iozzo, Willem Pinckaers and Ralf Philipp Weinmann to hack into the BlackBerry at Pwn2own.

Like Mobile Safari, BlackBerry's browser is based on WebKit. The second vulnerability was also used during the Pwn2Own competition to compromise Safari on Mac OS X. It was discovered by the VUPEN Security team.

Another vulnerability fixed in both iOS 4.3.2 and iOS 4.2.7 was discovered by reputed Mac hacker Charlie Miller and his colleague Dion Blazakis. It is located in QuickLook and can be exploited to execute potentially malicious code by opening a specially crafted Microsoft Office file.

The digital certificate blacklist update is the result of an incident which involved a Comodo reseller being compromised and its credentials being used to obtain rogue certificates for several high-profile domains.

Apple's update for this issue comes quite late compared with those from Mozilla, Google and Microsoft and a month after Comodo began notifying vendors.