Apple on Thursday released a statement saying its major operating platforms, iOS, OS X and certain Web services, are not affected by the massive "Heartbleed" security flaw discovered earlier this week.
As reported by Re/code, Apple has confirmed that its systems and services remain largely untouched by the secure sockets layer (SSL) bug known as "Heartbleed," a bug found in open source software that could potentially compromise the passwords and personal information of millions.
"Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key web-based services were not affected," the spokesperson said.
News of Heartbleed, a name given to the bug officially designated as CVE-2014-0160 by MITRE, first hit earlier this week. The flaw was discovered in the OpenSSL implementation of the TLS/DTLS heartbeat extension and, when exploited, leaks both server-client and client-to-server cached memory.
According to Heartbleed.org, the bug allows anyone on the Internet to read the memory of systems protected by vulnerable versions of OpenSSL software, including secret keys websites used to encrypt traffic. Nefarious users can use the data to gather usernames and passwords, eavesdrop on communications and steal data directly from services affected.
Major websites like Google, Facebook and others have already implemented fixes for the flaw, but security researchers still urge users to change their passwords as there was a point when these sites were not patched.
37 Comments
If you ever used MacPorts to download anything check your openssl package. In the console type: $ openssl version If it shows 0.9.8y (the Mavericks default) you're fine. If it shows 1.0.1 then your mac has the vulnerability. 1.0.1g has the patched library.
do:
$ sudo port upgrade openssl
For brew users I THINK the proper way to update is:
$ brew update
$ brew install openssl
$ brew link --force openssl
But check on the web. I don't use brew.
This information is only really relevant if you running OS X on your servers. The heartbleed bug targets web servers, not end user machines.As long as the sites you visit are vulnerable to the heartbleed bug, the credentials you use to authenticate to those sites could be at risk regardless of what OS you are running on your personal machine.Edit: I don't know what I'm talking about; I did not consider the possibility of a client initiating a "secure" SSL connection to an untrustworthy server. Heartbleed can definitely affect clients as well. http://security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerability-affect-clients-as-severely?lq=1
This information is only really relevant if you running OS X on your servers. The heartbleed bug targets web servers, not end user machines. As long as the sites you visit are vulnerable to the heartbleed bug, the credentials you use to authenticate to those sites could be at risk regardless of what OS you are running on your personal machine.
True, but some things are services that might run on your desktop. For example PostgreSQL uses OpenSSL. I have that installed on my machine for stuff. Then again, I'm a dev.
Good ole Apple protecting us!
This information is only really relevant if you running OS X on your servers. The heartbleed bug targets web servers, not end user machines. As long as the sites you visit are vulnerable to the heartbleed bug, the credentials you use to authenticate to those sites could be at risk regardless of what OS you are running on your personal machine.
The hell it is. It's relevant to anyone running MacPorts, BREW or any other add-on series of UNIX Services not provided by Apple's OS X infrastructure and Dev Tools.