Security Update 2006-007 (#6): Login to secure sites fails (cont.) -- fixes; Problems launching Microsoft Office apps; more
Security Update 2006-007 (#6): Login to secure sites fails (cont.) -- fixes; Problems launching Microsoft Office apps; more
Login to secure sites fails (cont.) -- fixes We continue to report on problems logging into secure (https) Web sites in Safari and other WebKit-based applications after applying Security Update 2006-007. Since this update makes modifications to WebKit, it's logically implicated in the difficulties.
Even more telling than the WebKit changes, however, is the resolution (in this security update) of a vulnerability where "certain revoked certificates may be erroneously honored." It appears Safari is -- instead of erroneously honoring bad certificates -- erroneously rejecting some certificates.
There's one more change in Security Update 2006-007 that could be implicated in this problem: a fix for a vulnerability where it may be possible to create an X.509 certificate containing a public key that "could consume a significant amount of system resources during signature verification. An attacker may cause a system to process such a certificate, leading to a denial of service."
In at least some cases, the issue appears to be tied to certificates issued by VeriSign. Safari is incorrectly interpreting some of these certificates as invalid -- with a mismatch in the certificate-listed host name and host name of the visited URL.
As such, one potential fix involves deleting certificate entries using Keychain Access, as follows:
- Launch Keychain Access (located in Applications/Utilities)
- Click on "Certificates" in the left-hand pane
- Delete any entries from VeriSign, or any certificates with a red cross next to them
- Re-attempt access to the problematic secure site
The most successful fix, however, involves deleting the file com.apple.security.revocation.plist from the following directory:
- ~/Library/Preferences
You can replicate this workaround to some extent without deleting any files by opening Keychain Access (as mentioned above) then navigating to its Preferences (under the Keychain Access menu), clicking on the "Certificates" tab and making sure that both "Online Certificate Status Protocol (OCSP)" and "Certificate Revocation List (CRL)" are turned off. However, some users have found that only deleting the aforementioned file works.
Unfortunately, in some cases, it may be up to certificate providers to update their certification methods for compliance with Apple's new, more stringent security standards.
Palm Synchronization difficulties (cont.) Meanwhile, users continue to report issues with Palm device synchronization.
Dick Wareham writes: "I also experienced the same issue with my Palm 505 to intel MacBook Pro. Just hangs and fails to make connection. Worked just fine before I did the upgrade. Re installed Missing Sync Software still no change awaiting response from Mark Space. Never had a problem with their software previously.
John adds: "After applying the latest Apple Security update to my Imac 24" Intel computer, whenever I sync my Treo 700p to my Imac using Now-Up-to-Date version 5.3.1, it wipes out the Calendar contents on my computer. Not on the Treo 700p Calendar, just on the calendar on my computer."
Feedback? Late-breakers@macfixit.com.
Problems launching Microsoft Office applications (cont.) We're also still seeking solutions for problems launching Microsoft Office applications (both Office v.X and Office 2004) after applying Security Update 2006-007.
Seamus Bennett writes: "Just confirming that I, too, am unable to launch Microsoft Word part of my Office X program. I have tried the two suggestions in your daily update but to no avail. The funny thing is that I can launch the program by logging in to my wife?s user account and it seems to run fine. I also use Entourage on my own account with no problem. I'm running Mac OS X 10.3.9 on an old iMac 400."
Some users are finding success with workarounds listed in our tutorial "What to do when a Mac OS X application will not launch," while others are not.
If you are experiencing a similar issue, please let us know.
Previous coverage:
- Security Update 2006-007 (#5): Problems logging into secure sites -- potential fixes; Palm synchronization issues; more
- Security Update 2006-007 (#4): Font Book issue fixes; AirPort connectivity loss, success with fixes; more
- Security Update 2006-007 (#3): General fixes; Startup problems (cont.); Device connectivity lost; Slow volume access; more
- Security Update 2006-007 (#2): Startup stalls, fails; Loss of Bluetooth
- Security Update 2006-007 released
Resources