Apple says iOS, OS X and certain Web services protected against 'Heartbleed'
Apple on Thursday released a statement saying its major operating platforms, iOS, OS X and certain Web services, are not affected by the massive "Heartbleed" security flaw discovered earlier this week.
As reported by Re/code, Apple has confirmed that its systems and services remain largely untouched by the secure sockets layer (SSL) bug known as "Heartbleed," a bug found in open source software that could potentially compromise the passwords and personal information of millions.
"Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key web-based services were not affected," the spokesperson said.
News of Heartbleed, a name given to the bug officially designated as CVE-2014-0160 by MITRE, first hit earlier this week. The flaw was discovered in the OpenSSL implementation of the TLS/DTLS heartbeat extension and, when exploited, leaks both server-client and client-to-server cached memory.
According to Heartbleed.org, the bug allows anyone on the Internet to read the memory of systems protected by vulnerable versions of OpenSSL software, including secret keys websites used to encrypt traffic. Nefarious users can use the data to gather usernames and passwords, eavesdrop on communications and steal data directly from services affected.
Major websites like Google, Facebook and others have already implemented fixes for the flaw, but security researchers still urge users to change their passwords as there was a point when these sites were not patched.
As reported by Re/code, Apple has confirmed that its systems and services remain largely untouched by the secure sockets layer (SSL) bug known as "Heartbleed," a bug found in open source software that could potentially compromise the passwords and personal information of millions.
"Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key web-based services were not affected," the spokesperson said.
News of Heartbleed, a name given to the bug officially designated as CVE-2014-0160 by MITRE, first hit earlier this week. The flaw was discovered in the OpenSSL implementation of the TLS/DTLS heartbeat extension and, when exploited, leaks both server-client and client-to-server cached memory.
According to Heartbleed.org, the bug allows anyone on the Internet to read the memory of systems protected by vulnerable versions of OpenSSL software, including secret keys websites used to encrypt traffic. Nefarious users can use the data to gather usernames and passwords, eavesdrop on communications and steal data directly from services affected.
Major websites like Google, Facebook and others have already implemented fixes for the flaw, but security researchers still urge users to change their passwords as there was a point when these sites were not patched.
Comments
In the console type:
$ openssl version
If it shows 0.9.8y (the Mavericks default) you're fine. If it shows 1.0.1 then your mac has the vulnerability. 1.0.1g has the patched library.
do:
$ sudo port upgrade openssl
For brew users I THINK the proper way to update is:
$ brew update
$ brew install openssl
$ brew link --force openssl
But check on the web. I don't use brew.
This information is only really relevant if you running OS X on your servers. The heartbleed bug targets web servers, not end user machines. As long as the sites you visit are vulnerable to the heartbleed bug, the credentials you use to authenticate to those sites could be at risk regardless of what OS you are running on your personal machine.
Edit: I don't know what I'm talking about; I did not consider the possibility of a client initiating a "secure" SSL connection to an untrustworthy server. Heartbleed can definitely affect clients as well. http://security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerability-affect-clients-as-severely?lq=1
This information is only really relevant if you running OS X on your servers. The heartbleed bug targets web servers, not end user machines. As long as the sites you visit are vulnerable to the heartbleed bug, the credentials you use to authenticate to those sites could be at risk regardless of what OS you are running on your personal machine.
True, but some things are services that might run on your desktop. For example PostgreSQL uses OpenSSL. I have that installed on my machine for stuff. Then again, I'm a dev.
This information is only really relevant if you running OS X on your servers. The heartbleed bug targets web servers, not end user machines. As long as the sites you visit are vulnerable to the heartbleed bug, the credentials you use to authenticate to those sites could be at risk regardless of what OS you are running on your personal machine.
The hell it is. It's relevant to anyone running MacPorts, BREW or any other add-on series of UNIX Services not provided by Apple's OS X infrastructure and Dev Tools.
This information is only really relevant if you running OS X on your servers. The heartbleed bug targets web servers, not end user machines. As long as the sites you visit are vulnerable to the heartbleed bug, the credentials you use to authenticate to those sites could be at risk regardless of what OS you are running on your personal machine.
The hell it is. It's relevant to anyone running MacPorts, BREW or any other add-on series of UNIX Services not provided by Apple's OS X infrastructure and Dev Tools.
If your personal machine allows access from the Internet and has either a self signed certificate or a valid certificate and is exposing any SSL suites using the unpatched version of OpenSSL, then it would be vulnerable to Heartbleed. If it is not offering any SSL suites to clients then it is not vulnerable. So in that sense, the other poster is correct because unless you are serving connections to SSL suites then there is no attack possible. This has nothing to do with you, as a client, connecting to a server using SSL, except that if whatever server you are connecting to is vulnerable, your personal information is at risk. Heartbleed is not a virus. It is a method of attacking a server running something in SSL with OpenSSL in which the vulnerability exposes access to the server's memory, cache, cookies, etc where information about recent visitors is stored, but not the disk storage. The attack can also steal the server's private keys in the same manner, which could allow malicious impersonation of a trusted certificate.
If your personal machine allows access from the Internet and has either a self signed certificate or a valid certificate and is exposing any SSL suites using the unpatched version of OpenSSL, then it would be vulnerable to Heartbleed. If it is not offering any SSL suites to clients then it is not vulnerable. So in that sense, the other poster is correct because unless you are serving connections to SSL suites then there is no attack possible. This has nothing to do with you, as a client, connecting to a server using SSL, except that if whatever server you are connecting to is vulnerable, your personal information is at risk. Heartbleed is not a virus. It is a method of attacking a server running something in SSL with OpenSSL in which the vulnerability exposes access to the server's memory, cache, cookies, etc where information about recent visitors is stored, but not the disk storage. The attack can also steal the server's private keys in the same manner, which could allow malicious impersonation of a trusted certificate.
This is false. Clients are vulnerable too.
According to RFC 6520, heartbeats should not be sent during handshakes. In practice, OpenSSL accepts heart beats right after the sending a ServerHello (this is what Jared Stafford's ssltest.py does). Upon further testing, I have discovered that servers can abuse clients by sending a Heartbeat right aftersending the ServerHello too. It triggers the same bug.
A proof of concept can be found in my repo at https://github.com/Lekensteyn/pacemaker. From its README:
It has been demonstrated that about 64 KiB of memory (65565 bytes) is indeed returned. It has also been demonstrated that clients (
wget
) can leak more data under certain circumstances (after a HTTP redirect over HTTPS).Also, a lot things are servers that we forget about. For example Call of Duty is a server and is vulnerable to the Heartbleed exploit and as I mentioned PostgreSQL.
The more I look the more I see OpenSSL in stuff I use. Even updating the version MacPorts installs isn't a guarantee.
PostgreSQL CAN use SSL as a server instance, only if there is a certificate being presented, otherwise, the management desktop suite cannot connect using SSL. I'm certainly not a security expert but I have spent the better part of two days learning and checking all of our servers against https://www.ssllabs.com/ssltest/index.html to help our lame IT department, You'll need to go into considerable detail to refute my original comments. I don't think you have researched this as much as I have, I can be corrected, but you'll need to cite authoritative sites. Clients are vulnerable but only if they are connecting to a compromised server.
Apple needs to make an ad for that.
I can just picture the interaction between the PC Guy and the Mac Guy about Heartbleed..
I can just picture the interaction between the PC Guy and the Mac Guy about Heartbleed..
Windows is not affected by this bug either, as it does not use OpenSSL.
Good to hear, though again this article makes it sound as if when using Apple you are better protected against Heartbleed while it is pretty much the same. Google's Chrome OS, Android and Chrome also weren't affected (nor is Windows btw). Just like Apple it did affect some of Google's online services but are already patched just like is the case with Apple I presume. I guess it's the way you spin it, saying most are unaffected sounds better as some are affected I guess but it's the same thing. Yahoo and Tumblr seems to be the most affected of the big names on the internet.
A more important question actually is, how many and which apps in the Play Store, App Store and Windows Phone store are affected?
Is there any protection we can use for this problem?
Is there any protection we can use for this problem?
Unfortunately there isn't much (if anything) we can do. We pretty much are dependent on the companies/developers to fix it, all we can do is when it's fixed is to change our password. Changing your password while it's not yet fixed would be useless as well. As far as I know there is no pro-active way of protecting yourself against this (edit: with the exception of using two-factor authentication as d4NjvRzf mentions below, this doesn't guarantee that your password won't be leaked but it at least prevents access even if it did).