Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
63,279
30,340



airport_utility_icon-250x250.jpg
Apple today released AirPort Extreme and AirPort Time Capsule Firmware Update 7.7.3 for AirPorts with 802.11ac. The update includes security improvements related to SSL/TLS.
AirPort Base Station Firmware Update 7.7.3
Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac

Impact: An attacker in a privileged network position may obtain memory contents

Description: An out-of-bounds read issue existed in the OpenSSL library when handling TLS heartbeat extension packets. An attacker in a privileged network position could obtain information from process memory. This issue was addressed through additional bounds checking. Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue.
Earlier this month, an OpenSSL bug known as Heartbleed made headlines, with Apple releasing a statement noting that iOS, OS X, and its "key web services" were unaffected by the security flaw, but it appears that the company's AirPort Extreme and AirPort Time Capsule were vulnerable.

The 7.7.3 update is recommended for all models of the AirPort Extreme and Time Capsule that support 802.11ac Wi-Fi, other AirPort base stations do not need to be updated.

Article Link: Apple Releases AirPort Extreme and Time Capsule Firmware Update 7.7.3 With Heartbleed Fix
 

ColemanCDA

macrumors newbie
Apr 22, 2014
2
0
well what do you expect ?
more than a week to figure out that a product is linked with a faulty lib !!
Perhaps they don't read news :p
Good job Apple

Airport doesn't ship with OS X or iOS. The OS is http://en.wikipedia.org/wiki/VxWorks and outsourced. I do believe that they should have fixed the issue faster but it should be because they should include iOS with Airport and have complete control and not because they "don't read the news'.
 

coolfactor

macrumors 604
Jul 29, 2002
6,987
9,572
Vancouver, BC
"APPLE SUX! HAHAHAHA"

No, seriously, I wonder how many other routers out there are vulnerable to this and yet will never receive firmware updates because they are too difficult to install, unlike Airport routers?

I wonder if this vulnerability is unique to Airport routers because of the Back to the Mac feature that requires user credentials to stored in order to operate correctly?
 

ColemanCDA

macrumors newbie
Apr 22, 2014
2
0
"APPLE SUX! HAHAHAHA"

No, seriously, I wonder how many other routers out there are vulnerable to this and yet will never receive firmware updates because they are too difficult to install, unlike Airport routers?

I wonder if this vulnerability is unique to Airport routers because of the Back to the Mac feature that requires user credentials to stored in order to operate correctly?

Now that I think of it I highly doubt it. Most routers that don't update firmware remotely are screwed.
 

Ralf The Dog

macrumors regular
May 1, 2008
192
0
well what do you expect ?
more than a week to figure out that a product is linked with a faulty lib !!
Perhaps they don't read news :p
Good job Apple

Step 1, Find the bug.
Step 2, Fix the bug.
Step 3, Test the fix.
Step 4, Test the fix.
Step 5, Test the fix.
Step 6, Test the fix.
Step 7, Release the fix.
 

PsyOpWarlord

macrumors 6502
Nov 11, 2010
334
26
Colorado Springs, CO
This is something I was also wondering, I just checked and their does not seem to be any updates for them. Hopefully they are not affected.

Did you read the article?

Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue.
 

MR-LIZARD

macrumors regular
Jan 9, 2012
102
156
UK
My understanding is that to exploit the Heartbleed flaw in the router would require the attacker to be already on your network; i.e. they know your wifi password. Apple's words it as being in a "...privileged network position..."

A fair number of routers of all brands are affected but as the attacker already needs to be part of your network the risk is small for most users. If your needs are to open up your wifi for guests then hopefully you have other security measures in place as Heartbleed is provably the least of your worries.

Worth getting fixed, but probably not as bad as people may think.
 

leman

macrumors Core
Oct 14, 2008
19,146
18,871
Step 1, Find the bug.
Step 2, Fix the bug.
Step 3, Test the fix.
Step 4, Test the fix.
Step 5, Test the fix.
Step 6, Test the fix.
Step 7, Release the fix.

You don't seem to realise it, but the bug has already been found (its in the OpenSSL library used by 2/3 of servers out there) and fixed on 7. of April by the OpenSSL team. Fixing it in the router involves downloading the patched source code and recompiling the router firmware - its literally takes five minutes. There is nothing to test, because it has been tested ad nauseum by thousands of people worldwide.

Its a disgrace that Apple actually took several weeks to release the fix, AFTER the existence of the bug has become common knowledge. Such things should be an absolute priority!

----------

My understanding is that to exploit the Heartbleed flaw in the router would require the attacker to be already on your network; i.e. they know your wifi password. Apple's words it as being in a "...privileged network position..."

True, but the delay in fixing it is still quite irresponsible...
 

C DM

macrumors Sandy Bridge
Oct 17, 2011
51,390
19,458
You don't seem to realise it, but the bug has already been found (its in the OpenSSL library used by 2/3 of servers out there) and fixed on 7. of April by the OpenSSL team. Fixing it in the router involves downloading the patched source code and recompiling the router firmware - its literally takes five minutes. There is nothing to test, because it has been tested ad nauseum by thousands of people worldwide.

Its a disgrace that Apple actually took several weeks to release the fix, AFTER the existence of the bug has become common knowledge. Such things should be an absolute priority!

----------



True, but the delay in fixing it is still quite irresponsible...
Is recompiling against a recompiled source something that is guaranteed not to affect anything else whatsoever, or could there be some unknown/undesirable side-effects that no one would really know about without testing out various scenarios to see if they would still work properly or not?
 

jayducharme

macrumors 601
Jun 22, 2006
4,516
5,935
The thick of it
I hope there's an update coming for older n AirPort routers. I have one at home and one at work, and ever since the last update they've been dropping their ability to connect to the Internet. Restarting them fixes the problem for a few hours or a few days, and then the connection drops again. Never was an issue before the last update.
 

iNosey

macrumors member
Jan 24, 2012
64
20
Yes, but does anyone know why the 802.11n models aren't affected? They do have Back to My Mac..
No idea. I'd say it is whatever coding is associated with the "AC" part of the airports. My guess is something with the dual connections. Id have to look into it though
 

MikhailT

macrumors 601
Nov 12, 2007
4,582
1,325
I hope there's an update coming for older n AirPort routers. I have one at home and one at work, and ever since the last update they've been dropping their ability to connect to the Internet. Restarting them fixes the problem for a few hours or a few days, and then the connection drops again. Never was an issue before the last update.

This security update already said the older routers are not affected. So, no, there will not be an update for those routers. A general update for improvements and bug fixes may come but I doubt any time soon. Airports don't get updates that often.

You don't seem to realise it, but the bug has already been found (its in the OpenSSL library used by 2/3 of servers out there) and fixed on 7. of April by the OpenSSL team. Fixing it in the router involves downloading the patched source code and recompiling the router firmware - its literally takes five minutes. There is nothing to test, because it has been tested ad nauseum by thousands of people worldwide.

Its a disgrace that Apple actually took several weeks to release the fix, AFTER the existence of the bug has become common knowledge. Such things should be an absolute priority!

----------



True, but the delay in fixing it is still quite irresponsible...

It's not really a big problem as you're making it seem. This exploit explicitly requires the attacker to be in your network. If the attacker is already in your network, you have much bigger problems than this exploit.

Heartbleed on web servers is far more complex to fix. Fixing this problem in the code is not the cure but just the first phase. Every affected website is going to have to revoke their SSL certificate, get a brand new one (these usually takes weeks), and then force everybody to change your data. All of this is going to take months to resolved for everybody.

And also, there are far more router companies that are not going to release updates for their routers to fix this if they use that affected code of OpenSSL.
 

rudigern

macrumors member
Apr 20, 2010
75
104
There is nothing to test, because it has been tested ad nauseum by thousands of people worldwide.

You don't do software development do you. Firmware is especially fragile because if it doesn't work, you could have all your customers lined out the front of your store with bricked Airports.
 

leman

macrumors Core
Oct 14, 2008
19,146
18,871
Is recompiling against a recompiled source something that is guaranteed not to affect anything else whatsoever, or could there be some unknown/undesirable side-effects that no one would really know about without testing out various scenarios to see if they would still work properly or not?

Usually, fixing a bug of this kind does not change the API behaviour at all (except denying the particular type of attack). To make sure of this, OpenSSL is accompanied by a suite of unit tests which make sure that the framework is behaving as desired.

So while what you are saying is certainly a possibility, its more an academic one. The API is well defined and well understood, and also thoroughly tested after the fix. Sure, it is possible that the fix has introduced another bug, but if the whole world has not found it after testing the new version for quite some time, I doubt that Apple will ;)
 

66318

macrumors regular
Jan 31, 2006
130
56
Yes, but does anyone know why the 802.11n models aren't affected? They do have Back to My Mac..
They likely didn't use a version of OpenSSL with the bug. Only specific versions required a fix, a version that didn't exist when Apple was working on the 802.11n products.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.