Apple Confirms 'Heartbleed' Security Issue Did Not Affect Apple Software and 'Key Services'

Discussion in 'MacRumors.com News Discussion' started by MacRumors, Apr 10, 2014.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    [​IMG]
    Apple today released a statement to Re/code confirming that iOS, OS X and "key web services" were unaffected by the widely publicized security flaw known as Heartbleed which was disclosed earlier this week.
    Heartbleed was a security flaw in the popular open-source software OpenSSL which helps provide secure connections between clients and servers. Due the ubiquity of OpenSSL, Heartbleed is believed to have affected approximately 66% of the internet.

    Security blogger Bruce Schneier describes the issue as "catastrophic" and on "the scale of 1 to 10, this is an 11." The flaw allowed servers to leak server memory to a malicious attacker, allowing hackers to extract login/password and other private data from a server. Users are recommended to change their passwords on all services that may have been affected. Mashable provides a list of services where you should change your password. Fortunately, MacRumors Forums were unaffected by the security flaw.

    Article Link: Apple Confirms 'Heartbleed' Security Issue Did Not Affect Apple Software and 'Key Services'
     
  2. macrumors 68020

    SMIDG3T

    Joined:
    Apr 29, 2012
    Location:
    England
  3. macrumors 6502a

    dugbug

    Joined:
    Aug 23, 2008
    Location:
    Somewhere in Florida
    #3
    Apple could not resist that zinger :p

    Android apparently incorporated it. Ouch.
     
  4. macrumors member

    Joined:
    Oct 29, 2011
  5. stukdog, Apr 10, 2014
    Last edited: Apr 10, 2014

    macrumors 6502

    Joined:
    Oct 20, 2004
  6. macrumors 6502

    ka-spot

    Joined:
    May 23, 2012
    #6
    terrific

    i always new that my money wasn't spent on the wind.
     
  7. macrumors member

    Joined:
    Sep 17, 2012
    Location:
    Philadelphia, PA
    #7
    Shocked
     

    Attached Files:

  8. macrumors regular

    Joined:
    Oct 6, 2012
    #8
    Their statement contained a bit of marketing blahblah.

    It's not important that Apple takes security very seriously and it doesn't even matter in this case - nobody (maybe except for the NSA^^) knew about this issue, so there wouldn't have been anything Apple could have done.
     
  9. macrumors 6502a

    BornAgainApple

    Joined:
    Jun 9, 2009
    Location:
    Massachusetts
  10. Merode, Apr 10, 2014
    Last edited: Apr 11, 2014

    macrumors 6502

    Merode

    Joined:
    Nov 5, 2013
    Location:
    Warszawa, PL
    #10
    To people above me: right - remember SSL issue from not long ago?
    The garden is walled, except for holes found from time to time.
     
  11. macrumors member

    Joined:
    Jan 17, 2014
    #11
    I always knew in the event of skynet or an apocalypse Apple computers would be the only ones running hahaha. That would show the haters who are the real idiots.
     
  12. macrumors 65816

    Joined:
    Jun 30, 2007
    #12
    Not exactly. OpenSSL has gotten a lot of flack in the past for being a shoddy library. There's plenty of security researchers who've looked through the code and said it's a mess. So perhaps Apple knew to stay away where possible. In other cases, it was a lucky accident that they pinned OpenSSL on OS X to the older 0.9.8 which wasn't vulnerable.

    Either way, it's a PR win for Apple, especially compared to Android which is vulnerable. And you can bet that many of the old versions of Android people are running will never get patched by carriers.
     
  13. macrumors 6502a

    dugbug

    Joined:
    Aug 23, 2008
    Location:
    Somewhere in Florida
    #13
    This one is a doozy
     
  14. macrumors 6502a

    Joined:
    Jul 21, 2003
    Location:
    Atlanta
    #14
    wholes?

    hmm, I'm gonna think about that while I enjoy my hore.
     
  15. Editor emeritus

    longofest

    Joined:
    Jul 10, 2003
    Location:
    Falls Church, VA
    #15
    That's because Android is based on Linux, and OpenSSL is part of almost every Linux distro out there. It's hard to fault Google/Android for using OpenSSL.

    The whole situation really just sucks all around. I don't think anyone is exaggerating when they say that 2/3 of internet facing websites use OpenSSL.
     
  16. macrumors 604

    Jessica Lares

    Joined:
    Oct 31, 2009
    Location:
    Near Dallas, Texas, USA
    #16
    I'm just glad that Apple even commented. Still waiting on my bank and credit card companies to say anything...
     
  17. macrumors G3

    SchneiderMan

    Joined:
    May 25, 2008
    Location:
    Apple state
    #17
    I agree holeheartedly.
     
  18. macrumors 6502a

    AppleInLVX

    Joined:
    Jan 12, 2010
    Location:
    Kitchener, Ontario, Canada
    #18
    Forgive my ignorance, but does this mean that all of Apple's online services are okay, or that using an apple device of any sort then also makes your data safe regardless of where you browse? If the latter, then way cool.
     
  19. macrumors 6502a

    Joined:
    Aug 3, 2010
    #19
    Whether they use OpenSSL or not for SSL doesn't have anything to do with being a walled garden.
     
  20. macrumors newbie

    Joined:
    Mar 28, 2012
    #20
    That's good. You know if Apple had been affected, all the headlines would be reading "Apple's Security Failure"
     
  21. macrumors 601

    Joined:
    Jul 11, 2008
    #21
    Proof that Apple is more secure than Android of Windows. This should shut those boys up.
     
  22. macrumors member

    Joined:
    Aug 29, 2006
    #22
    Key Services???

    Apple is being vague about this.

    What is definition of "key services"?

    It would have been nice if they had come out and stated that the iTunes store, the Apple store, and iCloud were not affected. One would assume that those are key services, but who knows?
     
  23. macrumors 68040

    SlCKB0Y

    Joined:
    Feb 25, 2012
    Location:
    Sydney, Australia
    #23
    Do you know why Apple services and products were not affected? Pure dumb luck.

    Apple is just lazy - they keep their BSD subsystem ridiculously outdated:

    Although 0.9.8y was released earlier this year, it was a minor point release for a major version of SSL originally released in 2005. :eek:
     
  24. macrumors 6502

    Joined:
    May 1, 2010
    #24
    It won't. Face it. Fandroids are robots.
     
  25. macrumors regular

    Joined:
    Feb 19, 2002
    Location:
    Gothenburg, Sweden
    #25
    Or it could be that newer versions of this software doesn't include anything that Apple deems useful. Don't fix what's not broken.
     

Share This Page