or Connect
AppleInsider › Forums › General › General Discussion › Apple says iOS, OS X and certain Web services protected against 'Heartbleed'
New Posts  All Forums:Forum Nav:

Apple says iOS, OS X and certain Web services protected against 'Heartbleed'

post #1 of 38
Thread Starter 
Apple on Thursday released a statement saying its major operating platforms, iOS, OS X and certain Web services, are not affected by the massive "Heartbleed" security flaw discovered earlier this week.



As reported by Re/code, Apple has confirmed that its systems and services remain largely untouched by the secure sockets layer (SSL) bug known as "Heartbleed," a bug found in open source software that could potentially compromise the passwords and personal information of millions.

"Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key web-based services were not affected," the spokesperson said.

News of Heartbleed, a name given to the bug officially designated as CVE-2014-0160 by MITRE, first hit earlier this week. The flaw was discovered in the OpenSSL implementation of the TLS/DTLS heartbeat extension and, when exploited, leaks both server-client and client-to-server cached memory.

According to Heartbleed.org, the bug allows anyone on the Internet to read the memory of systems protected by vulnerable versions of OpenSSL software, including secret keys websites used to encrypt traffic. Nefarious users can use the data to gather usernames and passwords, eavesdrop on communications and steal data directly from services affected.

Major websites like Google, Facebook and others have already implemented fixes for the flaw, but security researchers still urge users to change their passwords as there was a point when these sites were not patched.
post #2 of 38
If you ever used MacPorts to download anything check your openssl package.

In the console type:

$ openssl version

If it shows 0.9.8y (the Mavericks default) you're fine. If it shows 1.0.1 then your mac has the vulnerability. 1.0.1g has the patched library.

do:

$ sudo port upgrade openssl

For brew users I THINK the proper way to update is:

$ brew update
$ brew install openssl
$ brew link --force openssl

But check on the web. I don't use brew.
post #3 of 38

This information is only really relevant if you running OS X on your servers. The heartbleed bug targets web servers, not end user machines. As long as the sites you visit are vulnerable to the heartbleed bug, the credentials you use to authenticate to those sites could be at risk regardless of what OS you are running on your personal machine.

 

Edit: I don't know what I'm talking about; I did not consider the possibility of a client initiating a "secure" SSL connection to an untrustworthy server. Heartbleed can definitely affect clients as well. http://security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerability-affect-clients-as-severely?lq=1


Edited by d4NjvRzf - 4/10/14 at 6:53pm
post #4 of 38
Quote:
Originally Posted by d4NjvRzf View Post

This information is only really relevant if you running OS X on your servers. The heartbleed bug targets web servers, not end user machines. As long as the sites you visit are vulnerable to the heartbleed bug, the credentials you use to authenticate to those sites could be at risk regardless of what OS you are running on your personal machine.

 

True, but some things are services that might run on your desktop.  For example PostgreSQL uses OpenSSL.  I have that installed on my machine for stuff.  Then again, I'm a dev.

post #5 of 38
Good ole Apple protecting us!
post #6 of 38
Quote:
Originally Posted by d4NjvRzf View Post

This information is only really relevant if you running OS X on your servers. The heartbleed bug targets web servers, not end user machines. As long as the sites you visit are vulnerable to the heartbleed bug, the credentials you use to authenticate to those sites could be at risk regardless of what OS you are running on your personal machine.

 

The hell it is. It's relevant to anyone running MacPorts, BREW or any other add-on series of UNIX Services not provided by Apple's OS X infrastructure and Dev Tools.

post #7 of 38
Quote:
Originally Posted by mdriftmeyer View Post
 
Quote:
Originally Posted by d4NjvRzf View Post

This information is only really relevant if you running OS X on your servers. The heartbleed bug targets web servers, not end user machines. As long as the sites you visit are vulnerable to the heartbleed bug, the credentials you use to authenticate to those sites could be at risk regardless of what OS you are running on your personal machine.

 

The hell it is. It's relevant to anyone running MacPorts, BREW or any other add-on series of UNIX Services not provided by Apple's OS X infrastructure and Dev Tools.

If your personal machine allows access from the Internet and has either a self signed certificate or a valid certificate and is exposing any SSL suites using the unpatched version of OpenSSL, then it would be vulnerable to Heartbleed. If it is not offering any SSL suites to clients then it is not vulnerable. So in that sense, the other poster is correct because unless you are serving connections to SSL suites then there is no attack possible. This has nothing to do with you, as a client, connecting to a server using SSL, except that if whatever server you are connecting to is vulnerable, your personal information is at risk. Heartbleed is not a virus. It is a method of attacking a server running something in SSL with OpenSSL in which the vulnerability exposes access to the server's memory, cache, cookies, etc where information about recent visitors is stored, but not the disk storage. The attack can also steal the server's private keys in the same manner, which could allow malicious impersonation of a trusted certificate.

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #8 of 38
Quote:
Originally Posted by mstone View Post
 

If your personal machine allows access from the Internet and has either a self signed certificate or a valid certificate and is exposing any SSL suites using the unpatched version of OpenSSL, then it would be vulnerable to Heartbleed. If it is not offering any SSL suites to clients then it is not vulnerable. So in that sense, the other poster is correct because unless you are serving connections to SSL suites then there is no attack possible. This has nothing to do with you, as a client, connecting to a server using SSL, except that if whatever server you are connecting to is vulnerable, your personal information is at risk. Heartbleed is not a virus. It is a method of attacking a server running something in SSL with OpenSSL in which the vulnerability exposes access to the server's memory, cache, cookies, etc where information about recent visitors is stored, but not the disk storage. The attack can also steal the server's private keys in the same manner, which could allow malicious impersonation of a trusted certificate.

 

This is false.  Clients are vulnerable too.

 

According to RFC 6520, heartbeats should not be sent during handshakes. In practice, OpenSSL accepts heart beats right after the sending a ServerHello (this is what Jared Stafford's ssltest.py does). Upon further testing, I have discovered that servers can abuse clients by sending a Heartbeat right aftersending the ServerHello too. It triggers the same bug.

A proof of concept can be found in my repo at https://github.com/Lekensteyn/pacemaker. From its README:

The following clients have been tested against 1.0.1f and leaked memory before the handshake:

  • MariaDB 5.5.36
  • wget 1.15 (leaks memory of earlier connections and own state)
  • curl 7.36.0
  • git 1.9.1 (tested clone / push, leaks not much)
  • nginx 1.4.7 (in proxy mode, leaks memory of previous requests)

It has been demonstrated that about 64 KiB of memory (65565 bytes) is indeed returned. It has also been demonstrated that clients (wget) can leak more data under certain circumstances (after a HTTP redirect over HTTPS).

Also, a lot things are servers that we forget about.  For example Call of Duty is a server and is vulnerable to the Heartbleed exploit and as I mentioned PostgreSQL.

The more I look the more I see OpenSSL in stuff I use.  Even updating the version MacPorts installs isn't a guarantee.

post #9 of 38
Apple needs to make an ad for that.
post #10 of 38
Quote:
Originally Posted by nht View Post
 
Also, a lot things are servers that we forget about.  For example Call of Duty is a server and is vulnerable to the Heartbleed exploit and as I mentioned PostgreSQL.

PostgreSQL CAN use SSL as a server instance, only if there is a certificate being presented, otherwise, the management desktop suite cannot connect using SSL. I'm certainly not a security expert but I have spent the better part of two days learning and checking all of our servers against https://www.ssllabs.com/ssltest/index.html to help our lame IT department, You'll need to go into considerable detail to refute my original comments. I don't think you have researched this as much as I have, I can be corrected, but you'll need to cite authoritative sites. Clients are vulnerable but only if they are connecting to a compromised server.


Edited by mstone - 4/10/14 at 8:14pm

Life is too short to drink bad coffee.

Reply

Life is too short to drink bad coffee.

Reply
post #11 of 38
It was probably the 7.0.6 and 6.1.6 update
post #12 of 38
Was SSL update so I wonder if they reported it. It really affected a lot sites. Glad that's patched.
post #13 of 38
Quote:
Originally Posted by bdkennedy1 View Post

Apple needs to make an ad for that.

 

 

I can just picture the interaction between the PC Guy and the Mac Guy about Heartbleed..

post #14 of 38
Quote:
Originally Posted by BestKeptSecret View Post
 

 

 

I can just picture the interaction between the PC Guy and the Mac Guy about Heartbleed..

Windows is not affected by this bug either, as it does not use OpenSSL.

post #15 of 38
Quote:
Originally Posted by bdkennedy1 View Post

Apple needs to make an ad for that.
About what, exactly? Apple is not in the server business.
post #16 of 38
Quote:
Originally Posted by Ezhik View Post

About what, exactly? Apple is not in the server business.
http://www.apple.com/mac-mini/server/

censored

Reply

censored

Reply
post #17 of 38
Quote:
Originally Posted by Crowley View Post

http://www.apple.com/mac-mini/server/
Well it's not really fit for the type of stuff Linux is used for. Even iCloud uses Windows Azure (which is not vunerable btw).
post #18 of 38

Good to hear, though again this article makes it sound as if when using Apple you are better protected against Heartbleed while it is pretty much the same. Google's Chrome OS, Android and Chrome also weren't affected (nor is Windows btw). Just like Apple it did affect some of Google's online services but are already patched just like is the case with Apple I presume. I guess it's the way you spin it, saying most are unaffected sounds better as some are affected I guess but it's the same thing. Yahoo and Tumblr seems to be the most affected of the big names on the internet.

A more important question actually is, how many and which apps in the Play Store, App Store and Windows Phone store are affected?


Edited by Chipsy - 4/11/14 at 5:27am
post #19 of 38

Is there any protection we can use for this problem?

post #20 of 38
I guess under the same token Microsoft could claim they take "security very seriously" and never incorporated OpenSSL in their products.
post #21 of 38
Quote:
Originally Posted by marvfox View Post
 

Is there any protection we can use for this problem?


Unfortunately there isn't much (if anything) we can do. We pretty much are dependent on the companies/developers to fix it, all we can do is when it's fixed is to change our password. Changing your password while it's not yet fixed would be useless as well. As far as I know there is no pro-active way of protecting yourself against this (edit: with the exception of using two-factor authentication as d4NjvRzf mentions below, this doesn't guarantee that your password won't be leaked but it at least prevents access even if it did).


Edited by Chipsy - 4/11/14 at 6:25am
post #22 of 38
Quote:
Originally Posted by marvfox View Post
 

Is there any protection we can use for this problem?

Two-factor authentication would help. It works pretty well for Google accounts. iCloud has had it too as of last year.

post #23 of 38
Quote:
Originally Posted by d4NjvRzf View Post
 

Two-factor authentication would help. It works pretty well for Google accounts. iCloud has had it too as of last year.


Well it protects you as in, knowing only your password isn't sufficient to get in. But it doesn't guarantee that your password can be stolen if the web service is vulnerable to heartbleed.

But yeah it definitely made sure that even if your password was leaked it didn't jeopardize your personal information. I use it on all services that offer it. :)

post #24 of 38
Quote:
Originally Posted by d4NjvRzf View Post
 

Windows is not affected by this bug either, as it does not use OpenSSL.

 

I think this whole thing is a great example of how the assertions made by open source advocates are based on little more than blind faith. 

 

Specifically, there are two blind faith assumptions here:

 

1. people who contribute to open source projects are altruistic

2. bugs and security flaws are more likely to be spotted if there are thousands of eyes reviewing the code

 

What we find in practice, however, is:

 

1. there are many people who are not altruistic -- in fact some that are downright sneaky and malevolent. Giving those people unfettered access to vitally important code might not be a good idea. 

2. the MEGO phenomenon is not ameliorated by the magic of open source. 

 

Maybe proprietary code isn't so bad after all... 

post #25 of 38
Quote:
Originally Posted by Blastdoor View Post
 

 

I think this whole thing is a great example of how the assertions made by open source advocates are based on little more than blind faith. 

 

Specifically, there are two blind faith assumptions here:

 

1. people who contribute to open source projects are altruistic

2. bugs and security flaws are more likely to be spotted if there are thousands of eyes reviewing the code

 

What we find in practice, however, is:

 

1. there are many people who are not altruistic -- in fact some that are downright sneaky and malevolent. Giving those people unfettered access to vitally important code might not be a good idea. 

2. the MEGO phenomenon is not ameliorated by the magic of open source. 

 

Maybe proprietary code isn't so bad after all... 

1. I think it's fair to say that most people who contribute to open source projects do so either out of pure love of coding or are paid to do so by a company, such as Redhat or Intel, which has a direct interest in the project. Even though anyone can play with the source code, it's only a few trusted developers that actually have commit access.

 

2. The assumption here is that making the code public will let larger numbers of qualified individuals review and debug the code. Whether that's true in practice depends on the project. It's probably true for large projects like Linux which are backed by major companies. This OpenSSL bug was discovered by Codenomicon and Google Security, neither of which are the primary developers of OpenSSL. Although they probably used various tools to detect that something was amiss in the first place, having the source code available to debug with likely made it easier to pinpoint the flaw in the code and expedite the patching process. 


Edited by d4NjvRzf - 4/11/14 at 7:16pm
post #26 of 38
Quote:
Originally Posted by AppleInsider View Post
Apple says iOS, OS X and certain Web services protected against 'Heartbleed'

Why is the headline making a claim that Apple's operating systems are "protected against" Heartbleed? They have no protections against it whatsoever, and a quick glace at the headline and article would create a false sense of security. Apple's software did not incorporate the affected OpenSSL implementation, but some third-party software on those platforms are affected such as BlackBerry Mobile for iOS.


Edited by Negafox - 4/11/14 at 8:54am
post #27 of 38

It seems like they didn't sanitize a value that came from the network. If there was a naming convention for untrusted/unsanitized variables the compiler could warn upon their use in memcpy, etc. Naming conventions was how Apple was able to implement largely automated memory management.

post #28 of 38
Quote:
Originally Posted by BestKeptSecret View Post

Quote:
Originally Posted by bdkennedy1 View Post

Apple needs to make an ad for that.

I can just picture the interaction between the PC Guy and the Mac Guy about Heartbleed..

As long as PC guy doesn't mention that other one-line of code SSL bug that Apple had a short while ago.
Quote:
Originally Posted by Blastdoor 
I think this whole thing is a great example of how the assertions made by open source advocates are based on little more than blind faith.

There are advantages to both closed and open routes but open sourcing everything won't always come out with the best result:

http://www.ibtimes.co.uk/heartbleed-bug-millions-android-smartphones-tablets-risk-1444175
post #29 of 38
Quote:
Originally Posted by mstone View Post
 

I'm certainly not a security expert but I have spent the better part of two days learning and checking all of our servers against https://www.ssllabs.com/ssltest/index.html to help our lame IT department, You'll need to go into considerable detail to refute my original comments. I don't think you have researched this as much as I have, I can be corrected, but you'll need to cite authoritative sites.

 

I provided a link to code that shows that some clients are vulnerable that you ignored.  Exactly what more do you need as proof?

 

Just google heartbleed and wget.  Which someone helping their lame IT department should be sufficiently skilled to do.

 

And playing the "I'm an expert" card (or the even lamer passive aggressive "I'm not an expert" card) gets you butkus on the internet.

 

And here Mr. "I'm not an expert but I researched this more than you" another link:

 

http://security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerability-affect-clients-as-severely

 

The thread has a bunch of links to client vulnerabilities.

 

So IF you have downloaded OpenSSL via MacPorts (or other source) you ARE vulnerable to a heartbleed attack if your unpatched client hits a malicious server.  And the likelihood that you are using such a client is much higher IF you are using MacPorts at all.

 

Same deal for windows users that use Cygwin.

 

Quote:
Clients are vulnerable but only if they are connecting to a compromised server.

 

Right.  And there has never been a compromised server on the internet.  The whole point is that if you have a client using openSSL there is a vulnerability to steal memory if there is a malicious server using this exploit against you.  

 

Therefore your statement: "So in that sense, the other poster is correct because unless you are serving connections to SSL suites then there is no attack possible." is categorically wrong.

 

IF YOU HAVE OPENSSL VIA MACPORTS YOU SHOULD UPDATE IT.

 

The client side vulnerability needs you to initiate the contact to a malicious server but that's the normal use case for many of these vulnerable clients (i.e. if you use them at all, it's to talk to servers).

post #30 of 38
Quote:
Originally Posted by Negafox View Post
 

Why is the headline making a claim that Apple's operating systems are "protected against" Heartbleed? They have no protections against it whatsoever,and a quick glace at the headline and article would create a false sense of security. Apple's software did not incorporate the affected OpenSSL implementation, but some third-party software on those platforms are affected such as BlackBerry Mobile for iOS.

 

Certain apps on iOS are infected but that would mean they took the strange step of not using Apple's crypto code/p>

I wanted dsadsa bit it was taken.
Reply
I wanted dsadsa bit it was taken.
Reply
post #31 of 38
So if "key" web services were not affected does that mean that some non-key services were? If so I'd love to know which ones!

As always with Apple you have to read between the lines because all their public messaging is scripted to within an inch of its life. Apple realises that it's worked hard to gain the trust it has and it'd be hard to win back if lost so they don't want to say anything that could come back and bite them later.
post #32 of 38
Quote:
Originally Posted by s.metcalf View Post

So if "key" web services were not affected does that mean that some non-key services were? If so I'd love to know which ones!

As always with Apple you have to read between the lines because all their public messaging is scripted to within an inch of its life. Apple realises that it's worked hard to gain the trust it has and it'd be hard to win back if lost so they don't want to say anything that could come back and bite them later.

Apple's own API are not affected. That's what they mean. But OpenSSL is available and can be used by certain apps.
I wanted dsadsa bit it was taken.
Reply
I wanted dsadsa bit it was taken.
Reply
post #33 of 38
Quote:
Originally Posted by Crowley View Post


http://www.apple.com/mac-mini/server/

:lol::lol::lol: considering that Apple doesn't even use their own "server" hardware or OS in their data centers.

post #34 of 38
So? The claim was that they don't have a server product. They do. That it isn't particularly popular is besides the point. They have one and it doesn't use OpenSSL.

censored

Reply

censored

Reply
post #35 of 38
A specific version of Android, 4.1.1, may also be vulnerable to Heartbleed.
http://arstechnica.com/security/2014/04/vicious-heartbleed-bug-bites-millions-of-android-phones-other-devices/
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #36 of 38
Quote:
Originally Posted by Gatorguy View Post

A specific version of Android, 4.1.1, may also be vulnerable to Heartbleed.
http://arstechnica.com/security/2014/04/vicious-heartbleed-bug-bites-millions-of-android-phones-other-devices/

It is but pretty much no one uses it anymore, most who still are on 4.1 are on 4.1.2 which isn't affected. It's really only 4.1.1
Google send out a fix to the OEM's for the few devices affected.
post #37 of 38
Quote:
Originally Posted by Chipsy View Post

It is but pretty much no one uses it anymore, most who still are on 4.1 are on 4.1.2 which isn't affected. It's really only 4.1.1
Google send out a fix to the OEM's for the few devices affected.

It's unfortunate that some of those OEM's won't be motivated to offer it.
melior diabolus quem scies
Reply
melior diabolus quem scies
Reply
post #38 of 38
Quote:
Originally Posted by Gatorguy View Post

It's unfortunate that some of those OEM's won't be motivated to offer it.

Let's hope that with a security update like this, this will not be the case :s. Because even if the amount of devices is very small it still means some people are vulnerable.
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: General Discussion
AppleInsider › Forums › General › General Discussion › Apple says iOS, OS X and certain Web services protected against 'Heartbleed'