Probably - because they know that if they smiled publicly they would be massively criticised for their past security failings.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Confirms 'Heartbleed' Security Issue Did Not Affect Apple Software and 'Key Services'
- Thread starter MacRumors
- Start date
- Sort by reaction score
Probably - because they know that if they smiled publicly they would be massively criticised for their past security failings.
Not by me at least, so it's a completely misdirected comment at me. (please don't quote, I can go back and read)
Sorry, I wasn't trying to imply you were. You weren't. I'm still ranting and raving about stuff I read on the first few pages.
To be clear... 66% of internet facing websites that are secured use OpenSSL.
Also, don't interchange "SSL" with "OpenSSL". SSL by itself is a public key method of encryption that is broken except for version 3, but even still, it is encouraged to use more modern TLS encryption. OpenSSL is a software package that supports SSLv3 as well as TLS.
The bug was in the TLS heartbeat mechanism as implemented in the OpenSSL software.
----------
Mac OS X is most certainly NOT based on Linux. You confuse being a "unix-like" OS with Linux.
Android uses the Linux kernel.
Apple uses the XNU kernel.
They use third party CDNs too. Those folks will need to take care of their own servers.
In general, public companies don't use unsupported software for end customer services. Their legals will shoot the engineers.
Last edited:
That 66% includes versions of OpenSSL not vulnerable to heartbleed and also those that have not enabled heartbeat. So realistically it's more like 18-20% per Steve Gibson on Security Now podcast.
Unlike Apple, who has dealt with zero huge security problems in their past .... right?
Mashable website has compiled a list of of the biggest sites hit by Heartbleed. They are saying to change your password for these 15 sites asap. Check out all the sites they show as affected and not affected...it's a long long list.
Facebook
IFTTT
Instagram
Pinterest
Tumblr
Google
Yahoo
Gmail
Amazon Web Services
Turbotax
Dropbox
OKCupid
Soundcloud
GoDaddy
Minecraft
What is odd is I saw another article earlier today that said, Amazon was not affected and also Google.
I don't think we will ever really know and I also read this has been happening for years.
I also just got an update for OS Chrome Version 34.0.1847.116. If you use Chrome check for your update now.
IFTTT
Tumblr
Yahoo
Gmail
Amazon Web Services
Turbotax
Dropbox
OKCupid
Soundcloud
GoDaddy
Minecraft
What is odd is I saw another article earlier today that said, Amazon was not affected and also Google.
I don't think we will ever really know and I also read this has been happening for years.
I also just got an update for OS Chrome Version 34.0.1847.116. If you use Chrome check for your update now.
Last edited:
Wrong!
Apple Inc. said:
----------
Apple does not use OpenSSL in OS X 10.7 and newer. They use their own GCD compatible library.
No, it didn't. You don't understand how software versioning and support works.
OpenSSL 0.9.8 is still supported by the OpenSSL developers. They chose not to increment those numbers for some number of years, but that does not mean the software has not been updated in that long.
Also, more importantly, OpenSSL is provided in OSX only for compatibility. The system itself uses SecureTransport. (Which had that stupid gotofail bug, but the OpenSSL one is much, much worse.)
Indeed. We'd be having a conversation about how software using OpenSSL on OSX was also vulnerable to this problem instead. Much better.
Do you know why Apple services and products were not affected? Pure dumb luck.
Apple is just lazy - they keep their BSD subsystem ridiculously outdated:
Although 0.9.8y was released earlier this year, it was a minor point release for a major version of SSL originally released in 2005.
A naked version number means nothing except to indicate where the code base started from. There's no way to know what patches, if any, have been separately applied from upstream versions as doing so doesn't bump the version. Apple and RedHat, among others, are good at doing things like this.
I'm a jr. developer at my company, and I spent the morning making sure our servers were secure. My boss said to me "Aren't you putting a lot of effort into this?" This because a sr. developer assured him that no one would implement an SSL library that would allow arbitrary RAM dumping.
I didn't have the heart to tell him that I could ping different websites and getting random username and password combos back in plain text.
another win for ios & another loss for android
Only version 4.1.1 is affected
http://www.androidauthority.com/google-updates-its-services-to-stop-the-bleeding-366600/
Not really a win or a loss for any of them as the issue itself isn't something that is OS-specific in that way.another win for ios & another loss for android
Ohh! The irony of Apple complaining about openssl deprecating parts of their API too quickly. Apple are the kings of doing this kind of thing.
...Um...
That would be peachy if the many-eyes theory of constant analysis hadn't actually soiled itself so badly in recent days. Heartbleed is the third major crypto whoops in open-source code within about a month. Apple's several-month-old "goto fail" issue was the first, then came the GnuTLS bug which impacted the Linux community in mid-fist-pump after having lurked for years [http://arstechnica.com/security/201...inux-hundreds-of-apps-open-to-eavesdropping/], and now this majestic new OpenSSL bug.
All open source. All "constantly analyzed for security exploits."
Just sayin'.
Except with Redhat it is trivially easy to get this information.
----------
Why don't you just say what you really mean?
Everyone should agree Apple made a very smart decision not implementing OpenSSL in their infrastructure. As a result, we Apple consumers can feel safe and protected while everyone else is scrambling to undo all the damage and the associated security risks for their consumers.
yea but it's still affected where as ios isn't at all
win for us ios users knowing we have one of the more secured os's out there
definitely can't say that about android, they come out the box with malware lol
Believe me I do. I was saying that with the release of lion, they transitioned from openssl to secure transport. Maybe I wasn't clear...
----------
*sigh* This exploit makes the web a less secure place for everyone, regardless of what client side OS you are running. There are no real "winners" here, only losers. The only winners are cyber criminals and intelligence organisations.
And to think this thread began with some pretty interesting discussion with some informed posters of differing opinion. It has now degenerated to this.. I'm out!
Last edited:
Again, not really.
Apple has no problem dropping features from their products where that makes sense, but when Apple declares an API stable, you can be sure it won't change in an incompatible manner for at least two major (10.X) releases, and usually more.
Most software made to run on OSX 10.4 (the first release for Intel) will run on 10.9 if it didn't use any non-stable APIs. Of course, that is a full five major releases so some APIs will have changed or, after deprecation, disappeared entirely. There are APIs still in OSX today that debuted with OSX 10.0. Binaries written for that OS version won't run of course (on account of they will be for PowerPC) but a recompile might fix it, assuming the other APIs used weren't deprecated in the 13 years since it was written.
Of course, many programs use APIs that are not all that stable, or they use libraries from external parties where the same problem applies (like OpenSSL). And the more complex the software is, the more likely this is to happen, so in the real world running software written for 10.0 is going to be a challenge. But it is possible in the right circumstances.
Also, the above does not account for software taking advantage of bugs that are fixed, obviously.
Thank you for the clarification. That's what I suspected, but it all seemed to vague to me.