Browser makers update their DigiNotar disaster updates
As more details of the damage from the DigiNotar CA compromise are revealed, browser makers are now releasing second updates to their products to remove more untrustworthy certificates. Mobile device users and Mac OS X users are less well served.
Microsoft has updated security advisory 2607712 and announced that it has added the root certificates for DigiNotar Root CA and the DigiNotar PKIoverheid to its Untrusted Certificate Store. The update should appear automatically on most Windows systems but Microsoft has also made immediate download links for the update available for all Windows systems from Windows XP to Windows 7 and Windows 2008. The automatic update is not being performed in the Netherlands at this time at the request of the Dutch government.
Mozilla has released updates for Firefox browser, 6.0.2 and 3.6.22, and the Thunderbird email client, 6.0.2, 7.0 beta and 3.1.14; these new updates remove all trust from the DigiNotar CA. Firefox 3.6 and Thunderbird 3.1 users are encouraged to select "Check for Updates" from the Help menu to get the update; other users should see the update arrive automatically in the next 24 hours.
Mobile users and Mac users are less well served. There has been no news of updates for Apple's iOS or Google's Android, meaning the mobile devices that run those operating systems are still vulnerable to man-in-the-middle attacks using the bogus certificates. When Apple do move to release an update though, it should be widely available. Android users will have to wait for each device vendor to release updates for their phones, or move to a custom ROM such as CyanogenMod; a fix is in the process of being implemented for the popular third party ROM. Mac OS X users are also waiting for a security update; despite instructions on how to distrust DigiNotar certificates on the Mac being available, Apple have, so far, remained silent about releasing an automated update.