Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

MacRumors

macrumors bot
Original poster
Apr 12, 2001
59,312
23,294



heartbleed_200.jpg
Apple today released a statement to Re/code confirming that iOS, OS X and "key web services" were unaffected by the widely publicized security flaw known as Heartbleed which was disclosed earlier this week.
"Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key web-based services were not affected," an Apple spokesperson told Re/code.
Heartbleed was a security flaw in the popular open-source software OpenSSL which helps provide secure connections between clients and servers. Due the ubiquity of OpenSSL, Heartbleed is believed to have affected approximately 66% of the internet.

Security blogger Bruce Schneier describes the issue as "catastrophic" and on "the scale of 1 to 10, this is an 11." The flaw allowed servers to leak server memory to a malicious attacker, allowing hackers to extract login/password and other private data from a server. Users are recommended to change their passwords on all services that may have been affected. Mashable provides a list of services where you should change your password. Fortunately, MacRumors Forums were unaffected by the security flaw.

Article Link: Apple Confirms 'Heartbleed' Security Issue Did Not Affect Apple Software and 'Key Services'
 

SILen(e

macrumors regular
Oct 6, 2012
243
19
Their statement contained a bit of marketing blahblah.

It's not important that Apple takes security very seriously and it doesn't even matter in this case - nobody (maybe except for the NSA^^) knew about this issue, so there wouldn't have been anything Apple could have done.
 

Merode

macrumors 6502a
Nov 5, 2013
620
545
Warszawa, Poland
To people above me: right - remember SSL issue from not long ago?
The garden is walled, except for holes found from time to time.
 
Last edited:

epic-retouching

macrumors member
Jan 17, 2014
89
0
I always knew in the event of skynet or an apocalypse Apple computers would be the only ones running hahaha. That would show the haters who are the real idiots.
 

petsounds

macrumors 65816
Jun 30, 2007
1,490
505
It's not important that Apple takes security very seriously and it doesn't even matter in this case - nobody (maybe except for the NSA^^) knew about this issue, so there wouldn't have been anything Apple could have done.

Not exactly. OpenSSL has gotten a lot of flack in the past for being a shoddy library. There's plenty of security researchers who've looked through the code and said it's a mess. So perhaps Apple knew to stay away where possible. In other cases, it was a lucky accident that they pinned OpenSSL on OS X to the older 0.9.8 which wasn't vulnerable.

Either way, it's a PR win for Apple, especially compared to Android which is vulnerable. And you can bet that many of the old versions of Android people are running will never get patched by carriers.
 

longofest

Editor emeritus
Jul 10, 2003
2,906
1,620
Falls Church, VA
Android apparently incorporated it. Ouch.

That's because Android is based on Linux, and OpenSSL is part of almost every Linux distro out there. It's hard to fault Google/Android for using OpenSSL.

The whole situation really just sucks all around. I don't think anyone is exaggerating when they say that 2/3 of internet facing websites use OpenSSL.
 

AppleInLVX

macrumors 65816
Jan 12, 2010
1,196
665
Forgive my ignorance, but does this mean that all of Apple's online services are okay, or that using an apple device of any sort then also makes your data safe regardless of where you browse? If the latter, then way cool.
 

Jedibugs

macrumors newbie
Mar 28, 2012
7
0
That's good. You know if Apple had been affected, all the headlines would be reading "Apple's Security Failure"
 

Razeus

macrumors 603
Jul 11, 2008
5,347
2,029
Proof that Apple is more secure than Android of Windows. This should shut those boys up.
 

hofer

macrumors member
Aug 29, 2006
94
29
Key Services???

Apple is being vague about this.

What is definition of "key services"?

It would have been nice if they had come out and stated that the iTunes store, the Apple store, and iCloud were not affected. One would assume that those are key services, but who knows?
 

SlCKB0Y

macrumors 68040
Feb 25, 2012
3,401
542
Sydney, Australia
Do you know why Apple services and products were not affected? Pure dumb luck.

Apple is just lazy - they keep their BSD subsystem ridiculously outdated:

mbp:~ user$ openssl version
OpenSSL 0.9.8y 5 Feb 2013

Although 0.9.8y was released earlier this year, it was a minor point release for a major version of SSL originally released in 2005. :eek:
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.