Apple Confirms 'Heartbleed' Security Issue Did Not Affect Apple Software and 'Key Services'

[till213]

"Do you know why Apple services and products were not affected? Pure dumb luck.

Apple is just lazy."

Maybe they did a careful review of this version 0.9.8y. And they didn't want to switch to another version with another very careful review

Because they are lazy?

which turned out to be the right decision.

Out of pure dumb luck?

Did you just repeat what the OP wrote?

----------

As a result, we Apple consumers can feel safe and protected ...

You always can "feel" comfy and cuddle each other - that is your right to do so.

However I as a Mac user feel very worried, because y'know, even though Apple discouraged developers from using their older OpenSSL library (which, yes!, is installed on OS X!) nothing prevents any App (*) to ship along with their own private (newer) OpenSSL framework!

(*) Not counting the App Store for now - not sure whether that would get an App rejected to ship along with their own OpenSSL, but I don't think so. Anyone knows?

----------

You may want to check your Mavericks install:

OpenSSL> version
OpenSSL 0.9.8y 5 Feb 2013

You may want to check with the Apple Developer guidelines: the use of OpenSSL is discouraged (in favour of the usage of Apple's own libs).

 

[jnpy!$4g3cwk]

Apple today released a statement to Re/code confirming that iOS, OS X and "key web services" were unaffected by the widely publicized security flaw known as Heartbleed

I'm thinking that the people arguing in favor of software diversity and against software monoculture for just this reason are correct.

 

[Tacitus]

wholes?

Yes, you get them from a wholesaler…..

 

[bbeagle]

However I as a Mac user feel very worried, because y'know, even though Apple discouraged developers from using their older OpenSSL library (which, yes!, is installed on OS X!) nothing prevents any App (*) to ship along with their own private (newer) OpenSSL framework!

It's not something you should be worried about.

In 2 years, an App could ship with the broken OpenSSL framework. What's to stop that from happening? On ANY OS? Nothing.

You can't worry about things beyond your control.

----------

Ohh! The irony of Apple complaining about openssl deprecating parts of their API too quickly. Apple are the kings of doing this kind of thing.

What are you talking about - the 'kings'? Apple does this, so does pretty much any API developer. I've worked with far worse APIs where, at times, there was only a few months between an API being introduced and it being deprecated or even taken away. Java is more king than anyone.

 

[till213]

Go look for the link yourself since you seem to have lotsa time on hand. If you are a Mac user, you would have noticed the news that JVM were turned off.

MOOOOONTHS later than when that security hole blew up!

What are you actually trying to imply? That Apple reacted promptly when that CRITICAL Java had been fixed? Try again.

 

[hansonjohn590]

This is what a Walled Garden gets you

You have absolutely no idea what you're talking about.

 

[GenesisST]

wholes?

hmm, I'm gonna think about that while I enjoy my hore.

Although you comment is funny, I get that you never made a single typo in your life or written in a language that is not your native one?

----------

Hail, Apple! Get your brag on!

Remember the reason for iOS 7.0.6?

 

[till213]

You can't worry about things beyond your control.

That's one way to look at things

At least I count myself to the 1% of Mac users who are able to figure out which which frameworks/libs a given application links with and what their version is.

 

[bbeagle]

Right.. you're an expert in the field for 20 years and you can't read a standard CVE?

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

This has NOTHING to do with the version of Apache and everything to do with the version of SSL that Apache was compiled against.

Why are there constant attacks on these message boards?

I was trying to write for the lay person. The lay person doesn't care whether OpenSSL and Apache are 2 different things, to them there's a web site - and it needs both. They ARE the same thing. Most people can become vulnerable by transmitting their username/passwords to a website (which under the covers is using OpenSSL but they don't care or understand).

If you were in my office, the terminology would be different. If I'm in my boss' office, the terminology is different. I use my lay person's voice here - much as though I was explaining it to my wife, who's a technically inept. Meet me on a different technical message board and we can talk details.

 

[bbeagle]

That's one way to look at things

At least I count myself to the 1% of Mac users who are able to figure out which which frameworks/libs a given application links with and what their version is.

But, again, I know we've done this before in our code....

You can always SHIP with a certain API, but not use that API - but a modified version of it.

For example, I can ship with an API, and use some of it's functions. But a particular function doesn't work quite the way I want. A developer cuts and pastes the API's implementation of this function, modifies it a bit, and puts it back into HIS API, and only calls HIS API's implementation.

Unless you can read every line of code, you never know when this happens. We've had lazy programmers do just what I described above. It's no fun to debug when problems come up.

 

[SusanK]

Apple could not resist that zinger

Android apparently incorporated it. Ouch.

Yes, Apple was first with the SSL bug. Do they think android wanted to copy that too?

 

[BornAgainApple]

You have absolutely no idea what you're talking about.

Ouch, that hurt

 

[dugbug]

Yes, Apple was first with the SSL bug. Do they think android wanted to copy that too?

Its a question of how they get patched/updated. All phones will have holes now and then. This is what is really going to hurt.

 

[gotluck]

Its a question of how they get patched/updated. All phones will have holes now and then. This is what is really going to hurt.

do you know anyone running android 4.1.1? that is the only susceptible version

 

[mingoglia]

Do you know why Apple services and products were not affected? Pure dumb luck.

Apple is just lazy - they keep their BSD subsystem ridiculously outdated:



Although 0.9.8y was released earlier this year, it was a minor point release for a major version of SSL originally released in 2005.

You are correct sir. I'm glad to see some realize the underpinnings of OSX is BSD based. I'm a huge BSD fan, which is the only reason why I moved from an X-Windows environment to OSX. Apple's operating systems were a failure until they moved it to live on top of UNIX. Unfortunately Apple takes and receives all the credit for their "great and stable" operating system but everything stable about it is because of the foundation. A foundation not built by Apple.

In Apple's defense though, even my FreeBSD servers were still running 0.9.8y, and therefore were unaffected. I did have to upgrade my FreeBSD based OpenVPN servers, but the VPN software used 1.01g libraries and not the older non-vulnerable 0.9.8y the OS used.

 

[ptb42]

It's a web server thing, nothing to do with a web browser.

Actually, clients using OpenSSL are vulnerable to this bug as well.

However, a client would have to connect to a malicious server.

 

[knownikko]

Fortunately, MacRumors Forums were unaffected by the security flaw.

...since we don't bother to encrypt your sessions or logins at all.

 

[forkmonkey]

PR move

apple devices are "unaffected" by Heartbleed huh. They are immune to having their own RAM contents stolen but if an apple device visits an affected website (eg. 66% of the internet) you can still easily have your session hijacked and any private information you send stolen. Just a PR move by apple.

 

[639051]

So much stupidity here ... but then again it is Macrumors!

 

[C DM]

do you know anyone running android 4.1.1? that is the only susceptible version

Anyone with any version of Android (or pretty much any other OS) is still susceptible when visiting one of many sites online that were affected by this.

 

[dugbug]

do you know anyone running android 4.1.1? that is the only susceptible version

Security researchers said that version of Android is still in use in millions of smartphones and tablets, including in popular models made by Samsung Electronics Co., HTC Corp. and other manufacturers.

I hope those folks are provided a patch by the carriers

 

[gotluck]

Anyone with any version of Android (or pretty much any other OS) is still susceptible when visiting one of many sites online that were affected by this.

Yes indeed. Including ios

 

[Cubytus]

I hope those folks are provided a patch by the carriers

Carriers? Patching anything? Have you ever seen them doing anything that would not directly benefit their bottom line?

More interestingly, how do we know which version of SSL is implemented in a given OS X?

 

[GALENOS]

Read about this on the verge .. I dont see why people say mac are so vulnerable anyways??

 

[olowott]

I paid good money for it , never regretted it