In the wake of the recent DigiNotar hack that left users vulnerable to fraudulent digital certificates, most companies moved to patch vulnerabilities and/or revoke trust in the DigiNotar-signed certificates — Adobe, Mozilla, Google and Microsoft among them. Apple was a little slower with its security update to address the problem, which caused some grumbling, but when they did issue a fix last Friday, it was only for newer systems. Older versions of the Mac OS — Leopard and Tiger — will not receive a security update, leaving some Safari users open to the vulnerability.
ZDNet UK’s Ben Woods makes the good point that this decision leaves users with older systems having to fend for themselves — something that many businesses with perfectly good, but older Macs, are not likely to be happy about. He quotes security researcher Joshua Long on the problem:
“Those who purchased a pre-Intel Xserve in October 2006 have only owned them for 4 years and 11 months, and those who purchased a Power Macintosh G5 in July 2006 have only owned them for a little over 5 years,” Long said. “Most of these machines are still running perfectly fine, but Apple has completely cut them off from being able to receive critical security updates ever again.”
Long also noted that updates for Safari and QuickTime would not be sufficient for Leopard users without the OS update. The recommended mitigation is to manually remove the DigiNotar Root CA certificate from the Apple Keychain, although in this Ars Technica post, security researcher Ryan Sleevi noted that simply removing it isn’t enough to completely protect a user — modifications to the system trust store via the command line are also required.
What do you think of Apple’s decision to patch only the newest systems? Do you think it’s a trend that is likely to continue, and how will this affect business decisions to deploy Macs?