A programming glitch in Mac OS X has meant that Safari users are vulnerable to fraudulent security certificates generated by hackers--such as those created in the wake of the DigiNotar hack.

Other popular browsers such as Chrome, Firefox and Internet Explorer have all blocked certificates issued by DigiNotar, though Apple (NASDAQ: AAPL) has remained quiet on when this may happen for Safari. Instead the onus is on users, who will have to manually revoke the affected certificates via the Mac OS X keychain.

Unfortunately, it appears that a programming error means that Mac OS X continues to accept Extended Validation Certificates from authorities even after they have been marked as untrusted. Ryan Sleevi, a software developer who has contributed to Google's (NASDAQ: GOOG) Chrome project, told Computerworld that "when Apple thinks you're looking at an EV Cert, they check things differently. They override some of your settings and completely disregard them."

EV Certificates were designed to help foil phishing, and are typically used by popular sites that see heavy HTTPS traffic.

While it can be argued that this flaw cannot be easily exploited--hackers still need to set up a man-in-the-middle attack and then trick their victims into visiting phished websites, after all--the fact that the security options don't work as expected is troubling. For now, Ars Technica is advising users to simply delete any DigiNotar certs to get around the bug.

For more:
- check out this article at Computerworld
- check out this article at Ars Technica

Related Articles:
Apple laptop batteries can be hacked and destroyed
Security flaw spills Mac OS X Lion passwords in sleep mode
iPad takes root in the enterprise, but Apple lags on security