Go Back   MacRumors Forums > News and Article Discussion > Mac Blog Discussion

Reply
 
Thread Tools Search this Thread Display Modes
Old Apr 22, 2014, 05:46 PM   #1
MacRumors
macrumors bot
 
Join Date: Apr 2001
Apple Releases AirPort Extreme and Time Capsule Firmware Update 7.7.3 With Heartbleed Fix




Apple today released AirPort Extreme and AirPort Time Capsule Firmware Update 7.7.3 for AirPorts with 802.11ac. The update includes security improvements related to SSL/TLS.
Quote:
AirPort Base Station Firmware Update 7.7.3
Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac

Impact: An attacker in a privileged network position may obtain memory contents

Description: An out-of-bounds read issue existed in the OpenSSL library when handling TLS heartbeat extension packets. An attacker in a privileged network position could obtain information from process memory. This issue was addressed through additional bounds checking. Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue.
Earlier this month, an OpenSSL bug known as Heartbleed made headlines, with Apple releasing a statement noting that iOS, OS X, and its "key web services" were unaffected by the security flaw, but it appears that the company's AirPort Extreme and AirPort Time Capsule were vulnerable.

The 7.7.3 update is recommended for all models of the AirPort Extreme and Time Capsule that support 802.11ac Wi-Fi, other AirPort base stations do not need to be updated.

Article Link: Apple Releases AirPort Extreme and Time Capsule Firmware Update 7.7.3 With Heartbleed Fix
MacRumors is offline   0 Reply With Quote
Old Apr 22, 2014, 05:48 PM   #2
iLoveiTunes
macrumors regular
 
Join Date: Feb 2011
ooh...lets the bashing begin
iLoveiTunes is offline   0 Reply With Quote
Old Apr 22, 2014, 05:50 PM   #3
jdpierce21
macrumors newbie
 
Join Date: Mar 2014
Looks like everything getting an update today!
jdpierce21 is offline   1 Reply With Quote
Old Apr 22, 2014, 05:52 PM   #4
laurentSF
macrumors newbie
 
Join Date: Jul 2012
Quote:
Originally Posted by iLoveiTunes View Post
ooh...lets the bashing begin
well what do you expect ?
more than a week to figure out that a product is linked with a faulty lib !!
Perhaps they don't read news
Good job Apple
laurentSF is offline   2 Reply With Quote
Old Apr 22, 2014, 05:56 PM   #5
ColemanCDA
macrumors newbie
 
Join Date: Apr 2014
Quote:
Originally Posted by laurentSF View Post
well what do you expect ?
more than a week to figure out that a product is linked with a faulty lib !!
Perhaps they don't read news
Good job Apple
Airport doesn't ship with OS X or iOS. The OS is http://en.wikipedia.org/wiki/VxWorks and outsourced. I do believe that they should have fixed the issue faster but it should be because they should include iOS with Airport and have complete control and not because they "don't read the news'.
ColemanCDA is offline   0 Reply With Quote
Old Apr 22, 2014, 05:56 PM   #6
coolfactor
macrumors 68000
 
Join Date: Jul 2002
Location: Vancouver, BC CANADA
"APPLE SUX! HAHAHAHA"

No, seriously, I wonder how many other routers out there are vulnerable to this and yet will never receive firmware updates because they are too difficult to install, unlike Airport routers?

I wonder if this vulnerability is unique to Airport routers because of the Back to the Mac feature that requires user credentials to stored in order to operate correctly?
coolfactor is offline   6 Reply With Quote
Old Apr 22, 2014, 05:58 PM   #7
ColemanCDA
macrumors newbie
 
Join Date: Apr 2014
Quote:
Originally Posted by coolfactor View Post
"APPLE SUX! HAHAHAHA"

No, seriously, I wonder how many other routers out there are vulnerable to this and yet will never receive firmware updates because they are too difficult to install, unlike Airport routers?

I wonder if this vulnerability is unique to Airport routers because of the Back to the Mac feature that requires user credentials to stored in order to operate correctly?
Now that I think of it I highly doubt it. Most routers that don't update firmware remotely are screwed.
ColemanCDA is offline   3 Reply With Quote
Old Apr 22, 2014, 05:59 PM   #8
pgiguere1
macrumors 68000
 
pgiguere1's Avatar
 
Join Date: May 2009
Location: Montreal, Canada
Does anybody know if 802.11n AirPort Extremes need a HeartBleed patch?
pgiguere1 is offline   4 Reply With Quote
Old Apr 22, 2014, 06:00 PM   #9
Ralf The Dog
macrumors regular
 
Join Date: May 2008
Quote:
Originally Posted by laurentSF View Post
well what do you expect ?
more than a week to figure out that a product is linked with a faulty lib !!
Perhaps they don't read news
Good job Apple
Step 1, Find the bug.
Step 2, Fix the bug.
Step 3, Test the fix.
Step 4, Test the fix.
Step 5, Test the fix.
Step 6, Test the fix.
Step 7, Release the fix.
Ralf The Dog is offline   5 Reply With Quote
Old Apr 22, 2014, 06:01 PM   #10
Icaras
macrumors 601
 
Icaras's Avatar
 
Join Date: Mar 2008
Location: California, United States
OS X, iOS, and Airport Time Capsule all updated!
__________________
iMac (27-inch, Late 2012) iPad Air 2 iPhone 6 Apple TV (3rd Generation) Airport Time Capsule
Icaras is offline   2 Reply With Quote
Old Apr 22, 2014, 06:05 PM   #11
eldaria
macrumors member
 
Join Date: Jan 2008
Location: Sweden
Quote:
Originally Posted by pgiguere1 View Post
Does anybody know if 802.11n AirPort Extremes need a HeartBleed patch?
This is something I was also wondering, I just checked and their does not seem to be any updates for them. Hopefully they are not affected.
eldaria is offline   1 Reply With Quote
Old Apr 22, 2014, 06:14 PM   #12
PsyOpWarlord
macrumors regular
 
Join Date: Nov 2010
Location: Colorado Springs, CO
Quote:
Originally Posted by eldaria View Post
This is something I was also wondering, I just checked and their does not seem to be any updates for them. Hopefully they are not affected.
Did you read the article?

Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue.
PsyOpWarlord is offline   5 Reply With Quote
Old Apr 22, 2014, 06:15 PM   #13
gjvon
macrumors member
 
Join Date: Jul 2012
Location: Houston, Texas (Born and raised a Texan)
 
Quote:
Originally Posted by pgiguere1 View Post
Does anybody know if 802.11n AirPort Extremes need a HeartBleed patch?
One thing I love about Apple, they'd briefly announce an infection as soon as the problem arises. I'm going to assume no. Again. Assume.
gjvon is offline   0 Reply With Quote
Old Apr 22, 2014, 06:22 PM   #14
MR-LIZARD
macrumors newbie
 
Join Date: Jan 2012
My understanding is that to exploit the Heartbleed flaw in the router would require the attacker to be already on your network; i.e. they know your wifi password. Apple's words it as being in a "...privileged network position..."

A fair number of routers of all brands are affected but as the attacker already needs to be part of your network the risk is small for most users. If your needs are to open up your wifi for guests then hopefully you have other security measures in place as Heartbleed is provably the least of your worries.

Worth getting fixed, but probably not as bad as people may think.
MR-LIZARD is offline   0 Reply With Quote
Old Apr 22, 2014, 06:25 PM   #15
leman
macrumors 601
 
Join Date: Oct 2008
Quote:
Originally Posted by Ralf The Dog View Post
Step 1, Find the bug.
Step 2, Fix the bug.
Step 3, Test the fix.
Step 4, Test the fix.
Step 5, Test the fix.
Step 6, Test the fix.
Step 7, Release the fix.
You don't seem to realise it, but the bug has already been found (its in the OpenSSL library used by 2/3 of servers out there) and fixed on 7. of April by the OpenSSL team. Fixing it in the router involves downloading the patched source code and recompiling the router firmware - its literally takes five minutes. There is nothing to test, because it has been tested ad nauseum by thousands of people worldwide.

Its a disgrace that Apple actually took several weeks to release the fix, AFTER the existence of the bug has become common knowledge. Such things should be an absolute priority!

----------

Quote:
Originally Posted by MR-LIZARD View Post
My understanding is that to exploit the Heartbleed flaw in the router would require the attacker to be already on your network; i.e. they know your wifi password. Apple's words it as being in a "...privileged network position..."
True, but the delay in fixing it is still quite irresponsible...
leman is offline   1 Reply With Quote
Old Apr 22, 2014, 06:31 PM   #16
nzalog
macrumors 6502
 
Join Date: Jul 2012
Location: Mountain View, CA
Hmm airport express not affected?
__________________
Last edited by nzalog; Yesterday at 04:42 PM.
nzalog is offline   0 Reply With Quote
Old Apr 22, 2014, 06:43 PM   #17
C DM
macrumors G5
 
Join Date: Oct 2011
Quote:
Originally Posted by leman View Post
You don't seem to realise it, but the bug has already been found (its in the OpenSSL library used by 2/3 of servers out there) and fixed on 7. of April by the OpenSSL team. Fixing it in the router involves downloading the patched source code and recompiling the router firmware - its literally takes five minutes. There is nothing to test, because it has been tested ad nauseum by thousands of people worldwide.

Its a disgrace that Apple actually took several weeks to release the fix, AFTER the existence of the bug has become common knowledge. Such things should be an absolute priority!

----------



True, but the delay in fixing it is still quite irresponsible...
Is recompiling against a recompiled source something that is guaranteed not to affect anything else whatsoever, or could there be some unknown/undesirable side-effects that no one would really know about without testing out various scenarios to see if they would still work properly or not?
C DM is offline   3 Reply With Quote
Old Apr 22, 2014, 06:49 PM   #18
iNosey
macrumors member
 
Join Date: Jan 2012
Quote:
Originally Posted by nzalog View Post
Hmm airport express not affected?
Let me let you answer that. Does the AirPort Express use 802.11ac? No. Do you even read the article?
iNosey is offline   7 Reply With Quote
Old Apr 22, 2014, 06:49 PM   #19
jayducharme
macrumors 68020
 
jayducharme's Avatar
 
Join Date: Jun 2006
Location: The thick of it
I hope there's an update coming for older n AirPort routers. I have one at home and one at work, and ever since the last update they've been dropping their ability to connect to the Internet. Restarting them fixes the problem for a few hours or a few days, and then the connection drops again. Never was an issue before the last update.
jayducharme is offline   0 Reply With Quote
Old Apr 22, 2014, 06:52 PM   #20
unobtainium
macrumors 6502a
 
Join Date: Mar 2011
Quote:
Originally Posted by iNosey View Post
Let me let you answer that. Does the AirPort Express use 802.11ac? No. Do you even read the article?
Yes, but does anyone know why the 802.11n models aren't affected? They do have Back to My Mac..
__________________
13" Retina MacBook Pro (early 2013); Airport Extreme (802.11ac); iPhone 6 (32GB); Apple TV (3rd gen)
unobtainium is offline   2 Reply With Quote
Old Apr 22, 2014, 06:55 PM   #21
iNosey
macrumors member
 
Join Date: Jan 2012
Quote:
Originally Posted by unobtainium View Post
Yes, but does anyone know why the 802.11n models aren't affected? They do have Back to My Mac..
No idea. I'd say it is whatever coding is associated with the "AC" part of the airports. My guess is something with the dual connections. Id have to look into it though
iNosey is offline   0 Reply With Quote
Old Apr 22, 2014, 06:57 PM   #22
MikhailT
macrumors 68040
 
Join Date: Nov 2007
Quote:
Originally Posted by jayducharme View Post
I hope there's an update coming for older n AirPort routers. I have one at home and one at work, and ever since the last update they've been dropping their ability to connect to the Internet. Restarting them fixes the problem for a few hours or a few days, and then the connection drops again. Never was an issue before the last update.
This security update already said the older routers are not affected. So, no, there will not be an update for those routers. A general update for improvements and bug fixes may come but I doubt any time soon. Airports don't get updates that often.

Quote:
Originally Posted by leman View Post
You don't seem to realise it, but the bug has already been found (its in the OpenSSL library used by 2/3 of servers out there) and fixed on 7. of April by the OpenSSL team. Fixing it in the router involves downloading the patched source code and recompiling the router firmware - its literally takes five minutes. There is nothing to test, because it has been tested ad nauseum by thousands of people worldwide.

Its a disgrace that Apple actually took several weeks to release the fix, AFTER the existence of the bug has become common knowledge. Such things should be an absolute priority!

----------



True, but the delay in fixing it is still quite irresponsible...
It's not really a big problem as you're making it seem. This exploit explicitly requires the attacker to be in your network. If the attacker is already in your network, you have much bigger problems than this exploit.

Heartbleed on web servers is far more complex to fix. Fixing this problem in the code is not the cure but just the first phase. Every affected website is going to have to revoke their SSL certificate, get a brand new one (these usually takes weeks), and then force everybody to change your data. All of this is going to take months to resolved for everybody.

And also, there are far more router companies that are not going to release updates for their routers to fix this if they use that affected code of OpenSSL.
MikhailT is offline   2 Reply With Quote
Old Apr 22, 2014, 07:07 PM   #23
rudigern
macrumors member
 
Join Date: Apr 2010
Quote:
Originally Posted by leman View Post
There is nothing to test, because it has been tested ad nauseum by thousands of people worldwide.
You don't do software development do you. Firmware is especially fragile because if it doesn't work, you could have all your customers lined out the front of your store with bricked Airports.
rudigern is offline   4 Reply With Quote
Old Apr 22, 2014, 07:09 PM   #24
leman
macrumors 601
 
Join Date: Oct 2008
Quote:
Originally Posted by C DM View Post
Is recompiling against a recompiled source something that is guaranteed not to affect anything else whatsoever, or could there be some unknown/undesirable side-effects that no one would really know about without testing out various scenarios to see if they would still work properly or not?
Usually, fixing a bug of this kind does not change the API behaviour at all (except denying the particular type of attack). To make sure of this, OpenSSL is accompanied by a suite of unit tests which make sure that the framework is behaving as desired.

So while what you are saying is certainly a possibility, its more an academic one. The API is well defined and well understood, and also thoroughly tested after the fix. Sure, it is possible that the fix has introduced another bug, but if the whole world has not found it after testing the new version for quite some time, I doubt that Apple will
leman is offline   0 Reply With Quote
Old Apr 22, 2014, 07:12 PM   #25
drakino
macrumors regular
 
Join Date: Feb 2006
Quote:
Originally Posted by unobtainium View Post
Yes, but does anyone know why the 802.11n models aren't affected? They do have Back to My Mac..
They likely didn't use a version of OpenSSL with the bug. Only specific versions required a fix, a version that didn't exist when Apple was working on the 802.11n products.
drakino is offline   0 Reply With Quote

Reply
MacRumors Forums > News and Article Discussion > Mac Blog Discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Apple Releases Firmware Update for 2013 Mac Pro to Fix Power Nap Issues MacRumors Mac Blog Discussion 34 Feb 28, 2014 06:47 AM
Resolved: How to update your Time Capsule or AirPort firmware moonman239 Mac Peripherals 0 Feb 8, 2014 08:35 PM
Apple Releases AirPort Extreme and Time Capsule Firmware Update 7.7.2 MacRumors Mac Blog Discussion 57 Dec 22, 2013 11:38 AM
Apple Releases AirPort Base Station and Time Capsule Firmware Update 7.6.4 MacRumors Mac Blog Discussion 99 Aug 29, 2013 08:53 AM
Apple Releases MacMini EFI Firmware Update 1.7 - Fix Flickering on HDMI Displays k.alexander Mac mini 3 Dec 10, 2012 03:50 PM

Forum Jump

All times are GMT -5. The time now is 08:42 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC