Apple Releases AirPort Extreme and Time Capsule Firmware Update 7.7.3 With Heartbleed Fix

Discussion in 'Mac Blog Discussion' started by MacRumors, Apr 22, 2014.

  1. macrumors bot


    Apr 12, 2001

    Apple today released AirPort Extreme and AirPort Time Capsule Firmware Update 7.7.3 for AirPorts with 802.11ac. The update includes security improvements related to SSL/TLS.
    Earlier this month, an OpenSSL bug known as Heartbleed made headlines, with Apple releasing a statement noting that iOS, OS X, and its "key web services" were unaffected by the security flaw, but it appears that the company's AirPort Extreme and AirPort Time Capsule were vulnerable.

    The 7.7.3 update is recommended for all models of the AirPort Extreme and Time Capsule that support 802.11ac Wi-Fi, other AirPort base stations do not need to be updated.

    Article Link: Apple Releases AirPort Extreme and Time Capsule Firmware Update 7.7.3 With Heartbleed Fix
  2. macrumors regular

    Feb 26, 2011
  3. macrumors newbie

    Mar 24, 2014
    Looks like everything getting an update today! :)
  4. macrumors newbie

    Jul 6, 2012
    well what do you expect ?
    more than a week to figure out that a product is linked with a faulty lib !!
    Perhaps they don't read news :p
    Good job Apple
  5. macrumors newbie

    Apr 22, 2014
    Airport doesn't ship with OS X or iOS. The OS is and outsourced. I do believe that they should have fixed the issue faster but it should be because they should include iOS with Airport and have complete control and not because they "don't read the news'.
  6. macrumors 68020

    Jul 29, 2002
    Vancouver, BC CANADA

    No, seriously, I wonder how many other routers out there are vulnerable to this and yet will never receive firmware updates because they are too difficult to install, unlike Airport routers?

    I wonder if this vulnerability is unique to Airport routers because of the Back to the Mac feature that requires user credentials to stored in order to operate correctly?
  7. macrumors newbie

    Apr 22, 2014
    Now that I think of it I highly doubt it. Most routers that don't update firmware remotely are screwed.
  8. macrumors 68020


    May 28, 2009
    Montreal, Canada
    Does anybody know if 802.11n AirPort Extremes need a HeartBleed patch?
  9. macrumors regular

    May 1, 2008
    Step 1, Find the bug.
    Step 2, Fix the bug.
    Step 3, Test the fix.
    Step 4, Test the fix.
    Step 5, Test the fix.
    Step 6, Test the fix.
    Step 7, Release the fix.
  10. macrumors 601


    Mar 18, 2008
    California, United States
    OS X, iOS, and Airport Time Capsule all updated! :apple:
  11. macrumors member

    Jan 30, 2008
    This is something I was also wondering, I just checked and their does not seem to be any updates for them. Hopefully they are not affected.
  12. macrumors 6502


    Nov 11, 2010
    Colorado Springs, CO
    Did you read the article?

    Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue.
  13. macrumors member


    Jul 2, 2012
    Houston, Texas (Born and raised a Texan)
    One thing I love about Apple, they'd briefly announce an infection as soon as the problem arises. I'm going to assume no. Again. Assume.
  14. macrumors member

    Jan 9, 2012
    My understanding is that to exploit the Heartbleed flaw in the router would require the attacker to be already on your network; i.e. they know your wifi password. Apple's words it as being in a "...privileged network position..."

    A fair number of routers of all brands are affected but as the attacker already needs to be part of your network the risk is small for most users. If your needs are to open up your wifi for guests then hopefully you have other security measures in place as Heartbleed is provably the least of your worries.

    Worth getting fixed, but probably not as bad as people may think.
  15. macrumors 603

    Oct 14, 2008
    You don't seem to realise it, but the bug has already been found (its in the OpenSSL library used by 2/3 of servers out there) and fixed on 7. of April by the OpenSSL team. Fixing it in the router involves downloading the patched source code and recompiling the router firmware - its literally takes five minutes. There is nothing to test, because it has been tested ad nauseum by thousands of people worldwide.

    Its a disgrace that Apple actually took several weeks to release the fix, AFTER the existence of the bug has become common knowledge. Such things should be an absolute priority!


    True, but the delay in fixing it is still quite irresponsible...
  16. macrumors 6502

    Jul 25, 2012
  17. macrumors Core

    Oct 17, 2011
    Is recompiling against a recompiled source something that is guaranteed not to affect anything else whatsoever, or could there be some unknown/undesirable side-effects that no one would really know about without testing out various scenarios to see if they would still work properly or not?
  18. macrumors member

    Jan 24, 2012
    Let me let you answer that. Does the AirPort Express use 802.11ac? No. Do you even read the article?
  19. macrumors 68020


    Jun 22, 2006
    The thick of it
    I hope there's an update coming for older n AirPort routers. I have one at home and one at work, and ever since the last update they've been dropping their ability to connect to the Internet. Restarting them fixes the problem for a few hours or a few days, and then the connection drops again. Never was an issue before the last update.
  20. macrumors 65816

    Mar 27, 2011
    Yes, but does anyone know why the 802.11n models aren't affected? They do have Back to My Mac..
  21. macrumors member

    Jan 24, 2012
    No idea. I'd say it is whatever coding is associated with the "AC" part of the airports. My guess is something with the dual connections. Id have to look into it though
  22. macrumors 601

    Nov 12, 2007
    This security update already said the older routers are not affected. So, no, there will not be an update for those routers. A general update for improvements and bug fixes may come but I doubt any time soon. Airports don't get updates that often.

    It's not really a big problem as you're making it seem. This exploit explicitly requires the attacker to be in your network. If the attacker is already in your network, you have much bigger problems than this exploit.

    Heartbleed on web servers is far more complex to fix. Fixing this problem in the code is not the cure but just the first phase. Every affected website is going to have to revoke their SSL certificate, get a brand new one (these usually takes weeks), and then force everybody to change your data. All of this is going to take months to resolved for everybody.

    And also, there are far more router companies that are not going to release updates for their routers to fix this if they use that affected code of OpenSSL.
  23. macrumors member

    Apr 20, 2010
    You don't do software development do you. Firmware is especially fragile because if it doesn't work, you could have all your customers lined out the front of your store with bricked Airports.
  24. macrumors 603

    Oct 14, 2008
    Usually, fixing a bug of this kind does not change the API behaviour at all (except denying the particular type of attack). To make sure of this, OpenSSL is accompanied by a suite of unit tests which make sure that the framework is behaving as desired.

    So while what you are saying is certainly a possibility, its more an academic one. The API is well defined and well understood, and also thoroughly tested after the fix. Sure, it is possible that the fix has introduced another bug, but if the whole world has not found it after testing the new version for quite some time, I doubt that Apple will ;)
  25. macrumors regular

    Jan 31, 2006
    They likely didn't use a version of OpenSSL with the bug. Only specific versions required a fix, a version that didn't exist when Apple was working on the 802.11n products.

Share This Page