Not really. They immediately turned off JVM on end user machines. Those who still need it will have to turn it on and get support from Oracle with new VM.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Confirms 'Heartbleed' Security Issue Did Not Affect Apple Software and 'Key Services'
- Thread starter MacRumors
- Start date
- Sort by reaction score
Not really. They immediately turned off JVM on end user machines. Those who still need it will have to turn it on and get support from Oracle with new VM.
Apologies, I quoted more of your post than I intended to - I am aware that for the most part banks and MS services were not affected.
I'm not convinced that Google/Apple were not at some point vulnerable.
The name of Apple's framework is SecureTransport, it's the third major open source implementation apart from OpenSSL and NSS.
TWO months after the flaw was made public. How many Macs were infected in that time because of either the laziness or incompetence of Apple on that issue?
No. It is not.
It is based on a number of things including the Mach kernel, parts of FreeBSD and NetBSD etc.
----------
You may want to check your Mavericks install:
OpenSSL> version
OpenSSL 0.9.8y 5 Feb 2013
Nope. They turned it off on end user machines automatically within days. Most people don't need Java these days.
Told folks to get support from Oracle since Oracle have new vm.
We don't hear any fallout anyway. No one was hurt.
I'm not saying it's not installed! It's very different since there may be dependencies on it, but the have left OpenSSL in favor of their own implementation, which is why the version remains.
OS X install still includes openssl (presumably for backwards compatibility) and if it was a vulnerable version, anything compiled against it would also be exploitable.
Besides, its not as if we all should be blowing the security trumpet for Secure Transport either - http://www.neowin.net/news/serious-...n-os-x-mavericks-and-ios-7-easily-exploitable
But it is not the vulnerable version.
And Apple make it clear it's deprecated. Xcode would complain.
Obviously.
You're the one blowing the trumpet it seems. You started out by saying that Apple was lazy, and their version was ridiculously outdated, and this was all based on dumb luck. Which is the reason I told you about it.
http://arstechnica.com/apple/2012/0...ly-controls-half-a-million-macs-and-counting/
by Jacqui Cheng - Apr 5 2012
The gotofail bug requires mitm attack and older than TLS 1.2. So most if not all servers are not affected since they would be running TLS 1.2. It is not as "harmful", widespread and easy to exploit as this OpenSSL bug.
All software have security bugs. People are working to plug them. We should thank these folks.
----------
Still doesn't conflict with what I said. Apple turned off JVM remotely on end user machines. Most people don't need it.
They referred folks to use Oracle JVM since they no longer support Java.
For folks who still need to run Java but can't update to the new VM for whatever reasons, they will have to beef up their security (mostly internal network apps). These folks will have to update to the new VM anyway since more bugs were found and probably will be found.
It is in Oracle's hands now.
All software have security bugs. People are working to plug them. We should thank these folks.
----------
Still doesn't conflict with what I said. Apple turned off JVM remotely on end user machines. Most people don't need it.
They referred folks to use Oracle JVM since they no longer support Java.
For folks who still need to run Java but can't update to the new VM for whatever reasons, they will have to beef up their security (mostly internal network apps). These folks will have to update to the new VM anyway since more bugs were found and probably will be found.
It is in Oracle's hands now.
Last edited:
They made the switch with Lion correct? Immediately before then, Snow Leopard still included a 6 year old version of openssl. The 1.x version of openssl was released 15 months prior to this. Had they updated during that 15 month period like everyone else did, we wouldn't be having this conversation.
To be clear, I am taking issue with the following ideas being thrown around this thread:
1. That Apple is innately more security conscious than all other vendors.
2. That the reason for Apple not updating to openssl 1 (and to keep running 0.9.8x) at some point was some sort of proactive security-focussed decision. The most likely reason is that openssl 1 was overlooked because they were busy implementing their own SSL/TLS.
3. That Google, Android, a heap of Linux and BSD vendors were remiss in some way for deploying this version of openssl.
----------
What date? Can you provide a link?
Go look for the link yourself since you seem to have lotsa time on hand. If you are a Mac user, you would have noticed the news that JVM were turned off.
If you had understood Apple first before mouthing off about OpenSSL use, you wouldn't need to waste time talking about Java, trying to save your face either.
It is not uncommon to NOT upgrade to the latest security stack because they can be less mature (read: more buggy. Case in point !). The open source community will still release security patches for old but in-use software. So not upgrading can be a viable strategy too.
In this case, Apple decided that they have had enough and moved on. What can you do ?
If you had understood Apple first before mouthing off about OpenSSL use, you wouldn't need to waste time talking about Java, trying to save your face either.
It is not uncommon to NOT upgrade to the latest security stack because they can be less mature (read: more buggy. Case in point !). The open source community will still release security patches for old but in-use software. So not upgrading can be a viable strategy too.
In this case, Apple decided that they have had enough and moved on. What can you do ?
So just to clarify - are you arguing that Apple was not responsible for Java exploits, since all they were doing at the time was bundling in software produced by a third-party (Sun/Oracle). Is it is the third party who is responsible for security holes in OS X as a result of Java exploits?
It's completely misdirected because non of that is thrown around in this thread.
Well, this particular bug has got some criticism actually if you have followed this. It stems from a complete lack of bounds checking in combination with a custom memory allocator. The bug has been in the wild for two years. I have nothing against OpenSSL.
All i'm asking for is a web link supporting your claim that Apple "disabled JVM" two days after Oracle released their patch. You made the claim - don't back-pedal now.
Really? I'll happily go back and quote. Check the first couple of pages!
Last edited by a moderator:
Microsoft's IIS web server is not vulnerable because it does not use OpenSSL. It uses Microsoft's own TLS/SSL implementation. Microsoft is actually probably smiling on the inside about this one.
It's a MASSIVE oversight on the part of the openssl developers. But **** happens I guess...
Not by me at least, so it's a completely misdirected comment at me. (please don't quote, I can go back and read)
Yes your epic failure. Turning off JVM doesn't mean patching it.
Most people like me don't need Java anyway. So turning it off is better, especially since more holes cropped up later.
Would we have encouraged Google to get their brag on after Apple's GotoFail? Both were bad SSL coding errors... One could argue that Apple was directly at fault for lack of code review in that case, whereas Heartbleed was shared by a great many companies.
And before too much bragging takes place, Apple only said that "key services" weren't affected. Meaning that non-key services likely were affected. Our definition of key might differ from theirs, but it doesn't look like Apple is going to be transparent...