Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
"Do you know why Apple services and products were not affected? Pure dumb luck.

Apple is just lazy."

Maybe they did a careful review of this version 0.9.8y. And they didn't want to switch to another version with another very careful review

Because they are lazy?

which turned out to be the right decision.

Out of pure dumb luck?

Did you just repeat what the OP wrote? :D

----------

As a result, we Apple consumers can feel safe and protected ...

You always can "feel" comfy and cuddle each other - that is your right to do so.

However I as a Mac user feel very worried, because y'know, even though Apple discouraged developers from using their older OpenSSL library (which, yes!, is installed on OS X!) nothing prevents any App (*) to ship along with their own private (newer) OpenSSL framework!

(*) Not counting the App Store for now - not sure whether that would get an App rejected to ship along with their own OpenSSL, but I don't think so. Anyone knows?

----------

You may want to check your Mavericks install:

OpenSSL> version
OpenSSL 0.9.8y 5 Feb 2013

You may want to check with the Apple Developer guidelines: the use of OpenSSL is discouraged (in favour of the usage of Apple's own libs).
 
Apple today released a statement to Re/code confirming that iOS, OS X and "key web services" were unaffected by the widely publicized security flaw known as Heartbleed

I'm thinking that the people arguing in favor of software diversity and against software monoculture for just this reason are correct.
 
However I as a Mac user feel very worried, because y'know, even though Apple discouraged developers from using their older OpenSSL library (which, yes!, is installed on OS X!) nothing prevents any App (*) to ship along with their own private (newer) OpenSSL framework!

It's not something you should be worried about.

In 2 years, an App could ship with the broken OpenSSL framework. What's to stop that from happening? On ANY OS? Nothing.

You can't worry about things beyond your control.

----------

Ohh! The irony of Apple complaining about openssl deprecating parts of their API too quickly. Apple are the kings of doing this kind of thing.

What are you talking about - the 'kings'? Apple does this, so does pretty much any API developer. I've worked with far worse APIs where, at times, there was only a few months between an API being introduced and it being deprecated or even taken away. Java is more king than anyone.
 
Go look for the link yourself since you seem to have lotsa time on hand. If you are a Mac user, you would have noticed the news that JVM were turned off.

MOOOOONTHS later than when that security hole blew up!

What are you actually trying to imply? That Apple reacted promptly when that CRITICAL Java had been fixed? Try again.
 
You can't worry about things beyond your control.

That's one way to look at things ;)

At least I count myself to the 1% of Mac users who are able to figure out which which frameworks/libs a given application links with and what their version is.
 
Right.. you're an expert in the field for 20 years and you can't read a standard CVE?

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

This has NOTHING to do with the version of Apache and everything to do with the version of SSL that Apache was compiled against.

Why are there constant attacks on these message boards?

I was trying to write for the lay person. The lay person doesn't care whether OpenSSL and Apache are 2 different things, to them there's a web site - and it needs both. They ARE the same thing. Most people can become vulnerable by transmitting their username/passwords to a website (which under the covers is using OpenSSL but they don't care or understand).

If you were in my office, the terminology would be different. If I'm in my boss' office, the terminology is different. I use my lay person's voice here - much as though I was explaining it to my wife, who's a technically inept. Meet me on a different technical message board and we can talk details.
 
That's one way to look at things ;)

At least I count myself to the 1% of Mac users who are able to figure out which which frameworks/libs a given application links with and what their version is.

But, again, I know we've done this before in our code....

You can always SHIP with a certain API, but not use that API - but a modified version of it.

For example, I can ship with an API, and use some of it's functions. But a particular function doesn't work quite the way I want. A developer cuts and pastes the API's implementation of this function, modifies it a bit, and puts it back into HIS API, and only calls HIS API's implementation.

Unless you can read every line of code, you never know when this happens. We've had lazy programmers do just what I described above. It's no fun to debug when problems come up.
 
Do you know why Apple services and products were not affected? Pure dumb luck.

Apple is just lazy - they keep their BSD subsystem ridiculously outdated:



Although 0.9.8y was released earlier this year, it was a minor point release for a major version of SSL originally released in 2005. :eek:

You are correct sir. I'm glad to see some realize the underpinnings of OSX is BSD based. I'm a huge BSD fan, which is the only reason why I moved from an X-Windows environment to OSX. Apple's operating systems were a failure until they moved it to live on top of UNIX. Unfortunately Apple takes and receives all the credit for their "great and stable" operating system but everything stable about it is because of the foundation. A foundation not built by Apple.

In Apple's defense though, even my FreeBSD servers were still running 0.9.8y, and therefore were unaffected. I did have to upgrade my FreeBSD based OpenVPN servers, but the VPN software used 1.01g libraries and not the older non-vulnerable 0.9.8y the OS used.
 
PR move

apple devices are "unaffected" by Heartbleed huh. They are immune to having their own RAM contents stolen but if an apple device visits an affected website (eg. 66% of the internet) you can still easily have your session hijacked and any private information you send stolen. Just a PR move by apple.
 
do you know anyone running android 4.1.1? that is the only susceptible version
Anyone with any version of Android (or pretty much any other OS) is still susceptible when visiting one of many sites online that were affected by this.
 
I hope those folks are provided a patch by the carriers
Carriers? Patching anything? Have you ever seen them doing anything that would not directly benefit their bottom line?

More interestingly, how do we know which version of SSL is implemented in a given OS X?
 
Read about this on the verge .. I dont see why people say mac are so vulnerable anyways??
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.