Apple Confirms 'Heartbleed' Security Issue Did Not Affect Apple Software and 'Key Services'

[centauratlas]

I'm not saying it's not installed! It's very different since there may be dependencies on it, but the have left OpenSSL in favor of their own implementation, which is why the version remains.

The Apple version is not exploitable, but as you said "there may be dependencies on it" then openssl (an older version) is running and if it was the current version it would be EXPLOITABLE.

Even if Apple is running secure transport for some of their software and have deprecated openssl, as long as there are those dependencies at some point it is used and could have been exploitable. Thankfully Apple wasn't running the exploitable versions, but it is there, and it is used since there are dependencies.

My only points are that: Apple has openssl on OS X, it is a non-exploitable version, that regardless of whether some software is using secure transport or not other software depends on openssl (pre-heardbleed). Merely because Apple is transitioning to something else does not mean that openssl is gone.

 

[bzero]

Always check to make sure you aren't reading/writing outside of an array! A bunch of huge companies like Google used this OpenSSL code, apparently without having anyone look for bugs in it. Or that person couldn't catch the bug. Also, I'm usually the one to defend the NSA, but this kinda reeks...

One faintly possible explanation as to how those spammers got a hold of my address list in Gmail. Yes, Google, Dropbox, and GitHub were fully affected, plus many others.

----------

What does Chrome OS have to do with this?

Lots of Linux OSs were affected.

----------

This statement is proof that "Apple fans" who think they know what they're talking about, will be laughed at when confronted by a person who knows their stuff.

As said, this has nothing to do with OS X, iOS, Windows, or Android.

Seriously though, you really made yourself sound very naive.

Not really nothing. I don't know, maybe Apple and MS didn't want to use that version of OpenSSL without thorough inspection. Maybe they have measures in place to avoid falling victim to exploits in open-source software. We can't know.

It seems only Android 4.1.1 version is effected per their blog http://googleonlinesecurity.blogspot.com/2014/04/google-services-updated-to-address.html

Also those using OS X should go to Keychain Access->Preferences->Certificates […]

Thanks! Now I don't have to worry as much.

 

[C DM]

yea but it's still affected where as ios isn't at all



win for us ios users knowing we have one of the more secured os's out there

definitely can't say that about android, they come out the box with malware lol

The problem affects iOS users as well since it's server-side and no matter what OS you use to access those affected servers (of which there were very many due to how widespread this was).

This isn't about an OS being more secure than another one, it's a different kind of issue.

Plus let's not forget the whole simple yet very severe SSL bug that was affecting iOS (and not Android or any other mobile OS) for well over a year and just got patched only recently. No OS/software is fully secure or issue free realistically speaking.

 

[bzero]

yea but it's still affected where as ios isn't at all



win for us ios users knowing we have one of the more secured os's out there

definitely can't say that about android, they come out the box with malware lol

It only matters if you're hosting a SERVER on your iPhone. Don't tell me you're doing that. And iOS was affected by that CLIENT-side security flaw (the "goto" bug), so I wouldn't boast about its security. In fact, along with the uselessness of the Mavericks update, I must say that Apple's engineers have been slipping lately.

 

[IJ Reilly]

To be clear... 66% of internet facing websites that are secured use OpenSSL.

To be clear, it was the MR article that said it affected "66% of the internet," without making any further distinctions. I was pointing out the inaccuracy of this statement.

 

[laurihoefs]

This is what a Walled Garden gets you

Maybe you missed all the news of the fairly recent goto fail; bug?

Proof that Apple is more secure than Android of Windows. This should shut those boys up.

Considering that Apple uses OpenSSL, just not the affected version, and that Windows is not directly affected at all, what exactly do you mean?

It won't. Face it. Fandroids are robots.

another win for ios & another loss for android

While iOS does not directly suffer from this bug, it affects iOS users as well as Android users, as many websites and services used by both are affected.

Not everything is about iOS vs Android.

Everyone should agree Apple made a very smart decision not implementing OpenSSL in their infrastructure. As a result, we Apple consumers can feel safe and protected while everyone else is scrambling to undo all the damage and the associated security risks for their consumers.

Apple uses OpenSSL, just not the affected version.

 

[locust76]

Do you know why Apple services and products were not affected? Pure dumb luck.

Apple is just lazy - they keep their BSD subsystem ridiculously outdated:



Although 0.9.8y was released earlier this year, it was a minor point release for a major version of SSL originally released in 2005.

Because making sure the version number is the highest is more important than evaluating software based on its functionality, amirite?

 

[jkichline]

Wholes vs Holes

The garden is walled, except for wholes found from time to time.

If OpenSSL knew the difference between wholes and holes, we'd probably not be in this mess

 

[subsonix]

The Apple version is not exploitable, but as you said "there may be dependencies on it" then openssl (an older version) is running and if it was the current version it would be EXPLOITABLE.

You mean if even though it was deprecated and replaced with a completely different library after Snow Leopard, the deprecated version was still kept up to date with a new version that also got linked with something, if that happened then it would be affected. Yes. It's a self-evident statement, that depends on events that never happened.

 

[DriedTurnip]

Google is safe if you use two-pass and you don't replicate usernames and passwords to other sites. They use perfect forward secrecy so it doesn't matter if someone has the SSL keys for your account.This is all assuming someone knew about the flaw and was sucking data from Google's RAM.

 

[Tech198]

(what a name, you'd think they could be better at that one)

Personally, i don't trust any closed system no more. They have the most trouble.

 

[MH01]

Apple could not resist that zinger

Android apparently incorporated it. Ouch.

It's much more spread than that . Windows machines were safe.

Also the big companies were told ahead of time and had time to patch thier services . When a markerting/press statement says the issue did not affect them, that means it's all patched. If you asked them if it affected them 6 months ago , or even a month ago, I'd be interested by the response.

 

[Merode]

If OpenSSL knew the difference between wholes and holes, we'd probably not be in this mess

I agree holeheartedly.

wholes?

hmm, I'm gonna think about that while I enjoy my hore.

This one is a doozy

Wow, so much noise about an error made by foreigner whose first language isn't even english. My congratulations on your sense of humour.

I've had this on my mind: https://www.macrumors.com/2014/02/22/os-x-ssl-vulnerability/ but I guess making fun of mistype is above it.

 

[subsonix]

If you asked them if it affected them 6 months ago , or even a month ago, I'd be interested by the response.

The bug was found last week.

 

[mw360]

Just to be safe, I went about changing my Apple IDs today (all 6 of them) and spent an hour trying to get em all done. Frustrated, I went and got 1password despite my reservations about the iOS app and was surprised by how easy it was.

Needless to say, it saved me a lot of trouble.

If you read the Agilebits blog (makers of 1password) which is usually very informative, they actually advocate keeping your old passwords until the affected services tell you to change it. Their reasoning is pretty interesting - basically until the service tells you to change the password, you can't be sure they have completed all the work necessary to secure your new password.

 

[roadbloc]

Proof that Apple is more secure than Android of Windows. This should shut those boys up.

What has Windows got to do with this? Last time I checked, Microsoft don't use OpenSSL for their internet services either.

I could be wrong though.

 

[BvizioN]

As said, this has nothing to do with OS X, iOS, Windows, or Android

Of course it has nothing to do with it. But it would had everything to do with it only if Apple's operating system were effected! It's a no brainer

 

[Cyborg21]

Do you know why Apple services and products were not affected? Pure dumb luck.

Apple is just lazy - they keep their BSD subsystem ridiculously outdated

Not really, Apple is very careful about which technology will be put into their products. They do not want to be ''first'' in new technologies. When something ''new'' gets released Apple waits until they be sure about it. So, the problems like that do not happen.

 

[gnasher729]

The problem affects iOS users as well since it's server-side and no matter what OS you use to access those affected servers (of which there were very many due to how widespread this was).

This isn't about an OS being more secure than another one, it's a different kind of issue.

Well, yes. The problem is that any server that I used or will use could have been affected by the problem, which means hackers could have accessed information on that server, which means for example server certificates could have been stolen. If someone stole Apple's server certificates, and I try buying something from the App Store, then someone who is capable of redirecting my computer to access their server and not Apple's (which is difficult but not impossible, and neither I nor Apple can do something about it) could then impersonate Apple's server and steal whatever encrypted data my computer sends to Apple. Like credit card numbers.

Apple's message is that Apple's servers were not vulnerable. So I can safely continue using them. Which is important to me, because I spend money there which could get stolen.

The MacRumors site - I don't really care. Worst case, someone could get my password and post nonsense under my name. But most of us do that kind of thing anyway We had our password scare, which meant I'm not using this password anywhere important. _If_ MacRumors had some paid for service and asked for my credit card number, I'd _really_ want to know that they are not vulnerable.

The four sites that I personally really wanted to hear from are Apple, Amazon, EBay and PayPal. Most other sites that I use shouldn't be able to hurt me.

 

[unlinked]

What does Chrome OS have to do with this?

I can't imagine many people run web sites or servers of any kind on Chrome OS boxes.

 

[satcomer]

http://arstechnica.com/apple/2012/0...ly-controls-half-a-million-macs-and-counting/
by Jacqui Cheng - Apr 5 2012

If you really think about it they had to test the patch against all their devices iOS & OS X machines, even against version too before releasing the patch.

 

[samcraig]

It seems completely idiotic for people to use this story to praise or dis any OS or company.

Fact is - I would almost bet everyone on this thread is affected regardless of what phone, tablet, computer, OS, etc they use.

It's like some of you think that because the back door of your house was completely locked, that it doesn't matter that the front door was wide open.

 

[smirking]

You can attack clients with it, but it involves far more work, requires good timing, and requires additional information which attackers generally can't get.

With the exception of Yahoo, its generally smaller websites and services you have to worry about. The Verge, ArsTechnica, Anandtech, etc. Macrumors would probably be vulnerable, but SSL isn't used to begin with.

Thank you. I'm getting really annoyed with the panic over this. Yes, it's bad. Yes, we should be wondering if anything is actually as safe as we're led to believe, but big systems have all sorts of attack and intrusion dectection systems in place that would have raised alarms if massive attempts to exploit this bug were already in the wild.

The small frys is where the greatest potential for exposure lies and they're the ones who have the least ability to detect an atypical intrusion attempt, but they're also less likely to be attacked for their data since they tend not to have much of value and like you pointed out, a lot of them don't even bother with SSL anyway so you're already exchanging passwords in plain text with them... and that practice isn't going to stop anytime soon.

I'd worry about my bank account and anything that has to do with money and finances, but there are so many other less critical services out there that have far greater weaknesses that I'd be more worried about regular day to day threats... which Heartbleed now is thanks to the widespread publicity.

 

[discounteggroll]

sorry, couldn't resist

 

[jc1350]

(what a name, you'd think they could be better at that one)

Personally, i don't trust any closed system no more. They have the most trouble.

It's actually not a bad name. From http://heartbleed.com (info site about the flaw):

Why it is called the Heartbleed Bug?

Bug is in the OpenSSL's implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.