Apple Releases AirPort Extreme and Time Capsule Firmware Update 7.7.3 With Heartbleed Fix

Discussion in 'Mac Blog Discussion' started by MacRumors, Apr 22, 2014.

  1. macrumors bot

    MacRumors

    Joined:
    Apr 12, 2001
    #1
    [​IMG]


    [​IMG]
    Apple today released AirPort Extreme and AirPort Time Capsule Firmware Update 7.7.3 for AirPorts with 802.11ac. The update includes security improvements related to SSL/TLS.
    Earlier this month, an OpenSSL bug known as Heartbleed made headlines, with Apple releasing a statement noting that iOS, OS X, and its "key web services" were unaffected by the security flaw, but it appears that the company's AirPort Extreme and AirPort Time Capsule were vulnerable.

    The 7.7.3 update is recommended for all models of the AirPort Extreme and Time Capsule that support 802.11ac Wi-Fi, other AirPort base stations do not need to be updated.

    Article Link: Apple Releases AirPort Extreme and Time Capsule Firmware Update 7.7.3 With Heartbleed Fix
     
  2. macrumors regular

    Joined:
    Feb 26, 2011
  3. macrumors newbie

    Joined:
    Mar 24, 2014
    #3
    Looks like everything getting an update today! :)
     
  4. macrumors newbie

    Joined:
    Jul 6, 2012
    #4
    well what do you expect ?
    more than a week to figure out that a product is linked with a faulty lib !!
    Perhaps they don't read news :p
    Good job Apple
     
  5. macrumors newbie

    Joined:
    Apr 22, 2014
    #5
    Airport doesn't ship with OS X or iOS. The OS is http://en.wikipedia.org/wiki/VxWorks and outsourced. I do believe that they should have fixed the issue faster but it should be because they should include iOS with Airport and have complete control and not because they "don't read the news'.
     
  6. macrumors 68000

    Joined:
    Jul 29, 2002
    Location:
    Vancouver, BC CANADA
    #6
    "APPLE SUX! HAHAHAHA"

    No, seriously, I wonder how many other routers out there are vulnerable to this and yet will never receive firmware updates because they are too difficult to install, unlike Airport routers?

    I wonder if this vulnerability is unique to Airport routers because of the Back to the Mac feature that requires user credentials to stored in order to operate correctly?
     
  7. macrumors newbie

    Joined:
    Apr 22, 2014
    #7
    Now that I think of it I highly doubt it. Most routers that don't update firmware remotely are screwed.
     
  8. macrumors 68020

    pgiguere1

    Joined:
    May 28, 2009
    Location:
    Montreal, Canada
    #8
    Does anybody know if 802.11n AirPort Extremes need a HeartBleed patch?
     
  9. macrumors regular

    Joined:
    May 1, 2008
    #9
    Step 1, Find the bug.
    Step 2, Fix the bug.
    Step 3, Test the fix.
    Step 4, Test the fix.
    Step 5, Test the fix.
    Step 6, Test the fix.
    Step 7, Release the fix.
     
  10. macrumors 601

    Icaras

    Joined:
    Mar 18, 2008
    Location:
    California, United States
    #10
    OS X, iOS, and Airport Time Capsule all updated! :apple:
     
  11. macrumors member

    Joined:
    Jan 30, 2008
    Location:
    Sweden
    #11
    This is something I was also wondering, I just checked and their does not seem to be any updates for them. Hopefully they are not affected.
     
  12. macrumors 6502

    PsyOpWarlord

    Joined:
    Nov 11, 2010
    Location:
    Colorado Springs, CO
    #12
    Did you read the article?

    Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue.
     
  13. macrumors member

    gjvon

    Joined:
    Jul 2, 2012
    Location:
    Houston, Texas (Born and raised a Texan)
    #13
    One thing I love about Apple, they'd briefly announce an infection as soon as the problem arises. I'm going to assume no. Again. Assume.
     
  14. macrumors member

    Joined:
    Jan 9, 2012
    Location:
    UK
    #14
    My understanding is that to exploit the Heartbleed flaw in the router would require the attacker to be already on your network; i.e. they know your wifi password. Apple's words it as being in a "...privileged network position..."

    A fair number of routers of all brands are affected but as the attacker already needs to be part of your network the risk is small for most users. If your needs are to open up your wifi for guests then hopefully you have other security measures in place as Heartbleed is provably the least of your worries.

    Worth getting fixed, but probably not as bad as people may think.
     
  15. macrumors 603

    Joined:
    Oct 14, 2008
    #15
    You don't seem to realise it, but the bug has already been found (its in the OpenSSL library used by 2/3 of servers out there) and fixed on 7. of April by the OpenSSL team. Fixing it in the router involves downloading the patched source code and recompiling the router firmware - its literally takes five minutes. There is nothing to test, because it has been tested ad nauseum by thousands of people worldwide.

    Its a disgrace that Apple actually took several weeks to release the fix, AFTER the existence of the bug has become common knowledge. Such things should be an absolute priority!

    ----------

    True, but the delay in fixing it is still quite irresponsible...
     
  16. macrumors 6502

    Joined:
    Jul 25, 2012
  17. macrumors P6

    Joined:
    Oct 17, 2011
    #17
    Is recompiling against a recompiled source something that is guaranteed not to affect anything else whatsoever, or could there be some unknown/undesirable side-effects that no one would really know about without testing out various scenarios to see if they would still work properly or not?
     
  18. macrumors member

    Joined:
    Jan 24, 2012
    #18
    Let me let you answer that. Does the AirPort Express use 802.11ac? No. Do you even read the article?
     
  19. macrumors 68020

    jayducharme

    Joined:
    Jun 22, 2006
    Location:
    The thick of it
    #19
    I hope there's an update coming for older n AirPort routers. I have one at home and one at work, and ever since the last update they've been dropping their ability to connect to the Internet. Restarting them fixes the problem for a few hours or a few days, and then the connection drops again. Never was an issue before the last update.
     
  20. macrumors 65816

    Joined:
    Mar 27, 2011
    #20
    Yes, but does anyone know why the 802.11n models aren't affected? They do have Back to My Mac..
     
  21. macrumors member

    Joined:
    Jan 24, 2012
    #21
    No idea. I'd say it is whatever coding is associated with the "AC" part of the airports. My guess is something with the dual connections. Id have to look into it though
     
  22. macrumors 601

    Joined:
    Nov 12, 2007
    #22
    This security update already said the older routers are not affected. So, no, there will not be an update for those routers. A general update for improvements and bug fixes may come but I doubt any time soon. Airports don't get updates that often.

    It's not really a big problem as you're making it seem. This exploit explicitly requires the attacker to be in your network. If the attacker is already in your network, you have much bigger problems than this exploit.

    Heartbleed on web servers is far more complex to fix. Fixing this problem in the code is not the cure but just the first phase. Every affected website is going to have to revoke their SSL certificate, get a brand new one (these usually takes weeks), and then force everybody to change your data. All of this is going to take months to resolved for everybody.

    And also, there are far more router companies that are not going to release updates for their routers to fix this if they use that affected code of OpenSSL.
     
  23. macrumors member

    Joined:
    Apr 20, 2010
    #23
    You don't do software development do you. Firmware is especially fragile because if it doesn't work, you could have all your customers lined out the front of your store with bricked Airports.
     
  24. macrumors 603

    Joined:
    Oct 14, 2008
    #24
    Usually, fixing a bug of this kind does not change the API behaviour at all (except denying the particular type of attack). To make sure of this, OpenSSL is accompanied by a suite of unit tests which make sure that the framework is behaving as desired.

    So while what you are saying is certainly a possibility, its more an academic one. The API is well defined and well understood, and also thoroughly tested after the fix. Sure, it is possible that the fix has introduced another bug, but if the whole world has not found it after testing the new version for quite some time, I doubt that Apple will ;)
     
  25. macrumors regular

    Joined:
    Jan 31, 2006
    #25
    They likely didn't use a version of OpenSSL with the bug. Only specific versions required a fix, a version that didn't exist when Apple was working on the 802.11n products.
     

Share This Page