Apple Confirms 'Heartbleed' Security Issue Did Not Affect Apple Software and 'Key Services'

[Arndroid]

Do you know why Apple services and products were not affected? Pure dumb luck.

Apple is just lazy - they keep their BSD subsystem ridiculously outdated:



Although 0.9.8y was released earlier this year, it was a minor point release for a major version of SSL originally released in 2005.

What you call lazy others might call prudent. Rushing to implement every update ends you up in the 66%.

Perhaps apple has always been intentionally cautious and thus wait for systems to become super fatigued and expose any potential vulnerability. Time is the biggest factor in finding out if particular software is secure, so it is disingenuous to label than lazy over prudent.

People want to pretend apple does not take things slow for this very reason. It took two years for the heartbleed bug to be made public. It is not like nobody has known that these sorts of libraries can only be seasoned with time. So having a cautious upgrade policy makes sense.

What major functionality did apple give up for this security? Rushing to be the first one to install updates is not sound security.

----------

Security through obscurity is not more secure. The fact that Apple doesn't use OpenSSL is actually more alarming since OpenSSL is a known entity that is constantly analyzed for security exploits. Perhaps they use another well known security library but their "press release" doesn't provide any useful information in that regard.

Buck up chuck. It is not security through obscurity. They use OpenSSL. They just don't feel the need to rush out every update as soon as it is made available. Especially when if does not provide any benefit to them.

----------

Riiiiggght. What do you have to support this claim other than being an Apple apologist?

What do you have to support your claim that Apple is not cautious and prudent with updating software?

What supports the claim is they continue to run an older more secure version of the software. What do you have?

 

[Arndroid]

Sorry, but when extremely talented developers from all over the world for many different operating systems missed this bug, I don't believe Apple was being cautious...

Debian Wheezy
Ubuntu 12.04.4 LTS
CentOS 6.5
Fedora 18
OpenBSD 5.3
FreeBSD 8.4
NetBSD 5.0.2
OpenSUSE 12.2

And others were vulnerable.

OpenBSD developers have a hard earned reputation for being security freaks...they even missed this.

Not sure what any of that means. Why you mad that apple was prudent and cautious. It is a pretty good strategy and one many more companies will be adopting after this. Automatically updating new versions "just cause" is not a good strategy, especially from a security standpoint. As long as you are vigilant to actually patch and upgrade when issues arise you are fine. Just updating because a new version a out is not "being a security freak" , it is being an impestious teenager. You even noted apple does this routinely yet you refuse to accept it could be because they are being careful. It is pretty obvious that is a driving force.

Yet because apple's long standing behavior makes them look good here and others look bad you have to try and come up with something to turn it into what it is not. Your java example was awful as every version of Java is awful and full of holes.

It is not about catching this particular bug in an audit. It is about not upgrading software without reason which then potentially exposes you to new avenues of attack. Like I said time is the biggest benefactor. Sure older versions of software can be exploited but if specific attacks or bugs exist and are fixed that is an actual reason to upgrade. People did not upgrade to the latest OpenSSL because it introduced a bunch of fatal bug fixes in .98. Most upgraded because it was new and too many people have this mantra that keeping everything up to date with the latest version is a good security policy. As long as you are actively aware of vulnerabilities in older, more seasoned versions of software, taking your time is better security.

In some cases updates provide substantial benefit or security fixes that make updating a no brainer. This does expose you to new exploits. It is a trade off.

Please list what apple was missing out on by staying with the older, more secure version of OpenSSL. I suspect you have no idea.

----------

It's probably important to note that anyone running a website on an affected systems which used an SSL certificate should be asking their SSL provider to revoke and reissue - this bug allowed private keys to be leaked.

----------



Right.. you're an expert in the field for 20 years and you can't read a standard CVE?

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

This has NOTHING to do with the version of Apache and everything to do with the version of SSL that Apache was compiled against.

How do I know? Because all week I have been managing a team which has been updating SSL and recompiling Apache on more than a thousand vulnerable servers.

----------



And it's not a "web server thing" - it's a "anything compiled against a vulnerable version of openssl" thing. Eg - DB, FTP, SMTP, POP, IMAP.

Ah makes sense now. You are mad because apple is better at security than you.

----------

Wonder how the guy that wrote the affected SSL code feels about all the buzz..

It is a German professor and he recently released a statement. He feels bad about it. Was just something very small that was missed by him and the person who reviewed the changes.

----------

The same people who scream and shout when Apple doesn't give them their fancy graphics by updating OpenGL are the ones now spouting nonense how wise Apple were for running a drastically outdated version of openssl.

Besides, their cause and effect are backwards - they are trying to imply that Apple steered clear of an updated version of openssl because it might contain bugs?

It is far more likely that this version of openssl was targeted because a high proportion of public-facing servers were running this version.

Just like .98 was previously. See how that works?

----------

The primary danger of this incident is that server certificates/keys were stolen.

That allows attackers to perfectly impersonate a site; making the browser say with the little key lock icon "Connection is secure, site is verified and trusted".

Yeah was reading about a company testing this. May not be very likely keys were exposed with this. Through extensive testing they were unable to ever get any key data. At worst it means it is very hard to actually get such data and at best systems may not actually expose keys due to other factors outside of this particular functionality.

I am trying to find the story I read today and the company who mentioned this. Still makes sense to get new certificates but it is possible there was no actual exposure.

 

[allanfries]

 

[MH01]

The bug was found last week.

It's existed since 2011.

It became public last week.

By the time it became public the SSL cert companies were working with big companies to patch prior to public announcement .

You can't announce something of this scale publicly until you have made huge efforts to patch systems. It would be a novice hackers Xmas come early.

 

[subsonix]

It's existed since 2011.

It became public last week.

By the time it became public the SSL cert companies were working with big companies to patch prior to public announcement .

You can't announce something of this scale publicly until you have made huge efforts to patch systems. It would be a novice hackers Xmas come early.

You're mistaken. It became public one week after it got discovered, but the bug itself was introduced several years earlier, but unnoticed of course.

Edit: here's a quote form Cloudflare's (one of the companies that got notified in advance) blog: "At CloudFlare, we received early warning of the Heartbleed vulnerability and patched our systems 12 days ago.".

 

[C DM]

It's existed since 2011.

It became public last week.

By the time it became public the SSL cert companies were working with big companies to patch prior to public announcement .

You can't announce something of this scale publicly until you have made huge efforts to patch systems. It would be a novice hackers Xmas come early.

From what I've read some of the larger companies got an earlier warning while a lot of others (including some big ones as well) didn't. They wanted to wait to release the info about it publicly a bit later (a few days later) and perhaps let more companies know and give them more time, but they were supposedly afraid that the information would leak out and possibly create more of an issue so they released it before they let a lot of others know.

 

[MH01]

From what I've read some of the larger companies got an earlier warning while a lot of others (including some big ones as well) didn't. They wanted to wait to release the info about it publicly a bit later (a few days later) and perhaps let more companies know and give them more time, but they were supposedly afraid that the information would leak out and possibly create more of an issue so they released it before they let a lot of others know.

I guess we will never know to be honest. Though interesting rumours around NSA knowing about it for a while, but I guess that is conspiracy type stuff. I know from dealing with this issue at work this week, SSL Cert companies knew in advance, we were not given a heads up, but some of the companies we deal with, that were effected, had already patched when we found out, cause they issued us with comms saying that the services they provide to us that were critical/secure were patched.

A guess a decision was made on which companies would have got a heads up, based on the data they held.

 

[MH01]

You're mistaken. It became public one week after it got discovered, but the bug itself was introduced several years earlier, but unnoticed of course.

Edit: here's a quote form Cloudflare's (one of the companies that got notified in advance) blog: "At CloudFlare, we received early warning of the Heartbleed vulnerability and patched our systems 12 days ago.".

The bug was officially announced in April 2014. You either being naive or hoping that the bug may not have been exploited by hackers since the release of OpenSSL version 1.0.1 on March 14, 2012.

Its irelevant when CloudFlare patched their systems.

Google security team discovered the bug, people who get paid to do it. How about thousands of hackers who look for these exploits for profit? Do you think they will make it official, or exploit it? There are lots of exploits out there being used everyday, by the time they have been announced and patched, a lot of damage has already been done.

Had this issue been live for 1 month, cool. As it has been over 12 months, its very concerning, hence why everyone is taking this seriously, this is huge.

 

[subsonix]

The bug was officially announced in April 2014. You either being naive or hoping that the bug may not have been exploited by hackers since the release of OpenSSL version 1.0.1 on March 14, 2012.

It was released publicly this week on April 7th: http://www.openssl.org/news/secadv_20140407.txt

Its irelevant when CloudFlare patched their systems.

Google security team discovered the bug, people who get paid to do it. How about thousands of hackers who look for these exploits for profit? Do you think they will make it official, or exploit it? There are lots of exploits out there being used everyday, by the time they have been announced and patched, a lot of damage has already been done.

Had this issue been live for 1 month, cool. As it has been over 12 months, its very concerning, hence why everyone is taking this seriously, this is huge.

It's not irrelevant since they were among the companies that got advance notice. http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities

I think you miss the point here. I know it's a big issue, I know the bug has been present for two years in OpenSSL. I know that someone may have known but not told anyone about it and abused it.

This started by you making this comment:

Also the big companies were told ahead of time and had time to patch thier services . When a markerting/press statement says the issue did not affect them, that means it's all patched. If you asked them if it affected them 6 months ago , or even a month ago, I'd be interested by the response.

To which I replied; it was discovered last week.

 

[MH01]

It was released publicly this week on April 7th: http://www.openssl.org/news/secadv_20140407.txt



It's not irrelevant since they were among the companies that got advance notice. http://blog.cloudflare.com/staying-ahead-of-openssl-vulnerabilities

I think you miss the point here. I know it's a big issue, I know the bug has been present for two years in OpenSSL. I know that someone may have known but not told anyone about it and abused it.

This started by you making this comment:


To which I replied; it was discovered last week.

Well my bad, for throwing date durations as examples . If you read my comment, I am saying that it's BS markerting / PR for a company to come out and state thier services are not affected after a patch has been applied.

What I'm am more interested is a company coming out and stating that in my interactions in the last 12 months there was a risk and therefore I need to change my passwords etc.

I work on websites that were affected. We recieved statements from our 3rd parties that they are clear, followed by that we should change our passwords . What that means is that they are patched, but our passwords might have been compromised, they cannot prove either way.

The public announcement is a red herring. If you have a account that runs on a service that was patched, change ur password. If u are not sure, patch your password. Unless the company comes out and states they do not use open ssl, do not take the risk.

Let's agree to disagree the scale of this . You believe it was a problem from last week, I believe it's been a huge problem for at least a month but only made public last week.

 

[subsonix]

Well my bad, for throwing date durations as examples . If you read my comment, I am saying that it's BS markerting / PR for a company to come out and state thier services are not affected after a patch has been applied.

What I'm am more interested is a company coming out and stating that in my interactions in the last 12 months there was a risk and therefore I need to change my passwords etc.

If they are using the affected versions or OpenSSL at all that is.

Let's agree to disagree the scale of this . You believe it was a problem from last week, I believe it's been a huge problem for at least a month but only made public last week.

It's not a matter of belief, it's huge problem because of the scale of it, it's may potentially have been abused for two years.

 

[MH01]

If they are using the affected versions or OpenSSL at all that is.



It's not a matter of belief, it's huge problem because of the scale of it, it's may potentially have been abused for two years.

So we agree that last weeks announcement is just the public acknowledgement and not when the bug may have been first discovered. And as in discovered, I mean by security firms that would disclose it.

It huge cause of how long it been around.

It's a slap in the face to open source also.

And for anyone that uses the Same password for multiple services, change it Now, even if you think your bank data etc is safe.

 

[subsonix]

So we agree that last weeks announcement is just the public acknowledgement and not when the bug may have been first discovered. And as in discovered, I mean by security firms that would disclose it.

It was announced this week, April 7th, this Monday. Some got the information early, but you'd be mistaken if you believe that it was months ahead of time, Cloudflare got the announcement last week. They have been criticized for revealing it too early, even though it was discovered at Google, at a public statements about their services made on the 9th it was made clear that not everything was patched still. So why would they release a public announcement before they even patched all their own systems.

It huge cause of how long it been around.

And also how widespread it is, how easy it is to exploit, and the kind of information that can be had, 64k chunks of server memory, with certificates, passwords and user names and so on.

 

[MH01]

It was announced this week, April 7th, this Monday. Some got the information early, but you'd be mistaken if you believe that it was months ahead of time, Cloudflare got the announcement last week. They have been criticized for revealing it too early, even though it was discovered at Google, at a public statements about their services made on the 9th it was made clear that not everything was patched still. So why would they release a public announcement before they even patched all their own systems.



And also how widespread it is, how easy it is to exploit, and the kind of information that can be had, 64k chunks of server memory, with certificates, passwords and user names and so on.

I've only talked to our security experts and they cannot provide a timeframe. All they have told me is that it was prior to the announcement . Sorry but more important companies than cloutflare would have know much sooner, like government .

Fair enough lets agree this is potentially a huge issue. Let's hope not too many got affected by it.

 

[subsonix]

I've only talked to our security experts and they cannot provide a timeframe. All they have told me is that it was prior to the announcement . Sorry but more important companies than cloutflare would have know much sooner, like government .

So even though the experts you have talked to can't provide a time frame. You then go ahead an make a prediction anyway.

 

[gnasher729]

Because they are lazy?

You sound like a broken record.

----------

In 2 years, an App could ship with the broken OpenSSL framework. What's to stop that from happening? On ANY OS? Nothing.

Actually, if you use an application using the broken OpenSSL framework on your computer (not on a server), a server could try to attack you, but it would only be able to access the memory of the broken application. On MacOS X or iOS, using OpenSSL to access a server would be a very strange thing for an application to do; it is a million times more likely that your application would just use built-in functions to access URLs, and these lucky enough have never used that OpenSSL version.

 

[MH01]

So even though the experts you have talked to can't provide a time frame. You then go ahead an make a prediction anyway.

No, that is only the people in our company. Let me make that clear. They informed me that cert companies knew about this way in advance. All I know is that it was prior to the public announcement. I just made a speculative call that is might have been one month or 6 months. And that is what you replied to stating that I was wrong and it was a week ago.

I got grilled this week at work about this, cause I am responsible for a couple of big brand websites, brand reputation is a huge issue, though we were not important enough to get a heads up like some companies. There is alot of secrecy around this. Though as I stated, some of our partners that provide critical services, got a heads up before the annoucement, that was very clear.

My Opinion is that it was know in certain parts of industry at least a month prior but could have been alot worse.


What I am not certain about is if we go back more than a week, were some of Apple's services affected.... hence my original statement.

I'm off for rugby and beers! Like I said lets agree to disagree. Have a good weekend.

 

[kdarling]

Companies are always between a rock and a hard place when it comes to updates.

As someone mentioned, you don't want to rush into an update without first extensively testing to make it doesn't break something else that's important.

At the same time, nobody is invulnerable to potential problems if they hang onto older code. Not even Apple.

Remember last July, when Apple had to shut down a bunch of its servers (starting with the Dev site) for quite a few days, partly in order to fix a known problem with database commands, that had a known fix, that a self-proclaimed security researcher brought to their attention by downloading (and showing a video of) thousands of developer names and emails.

 

[SlCKB0Y]

Ah makes sense now. You are mad because apple is better at security than you.

If you honestly think you can infer that from anything I have said in this thread I can comfortably state that you have absolutely no idea what you are talking about.

I suspect you are just trying to be provocative though.

 

[easytake123]

whoops ,apple will take actions .

 

[jnpy!$4g3cwk]

Companies are always between a rock and a hard place when it comes to updates.

As someone mentioned, you don't want to rush into an update without first extensively testing to make it doesn't break something else that's important.

At the same time, nobody is invulnerable to potential problems if they hang onto older code. Not even Apple.

This is an especially interesting case because it is the biggest Open Source security bug of this type by far. And, it seems that what happened is exactly what people fear when they stick to existing code. Previous versions of OpenSSL were (allegedly? presumably?) pored over in minute detail. Everything OK. Apparently, a "minor" update was not examined in the same minute detail. It had a subtle, but, deadly for its purpose, bug.

I think the industry needs to take a serious look at what happened, because it does show a weakness in how changes are reviewed. Even a small change in an absolutely crucial little package can and did have a huge impact. I don't think that the (non-realtime etc., non-software-safety-conscious) software world has a good way of tracking and managing risk, and therefore scrutiny applied.

 

[dugbug]

Carriers? Patching anything? Have you ever seen them doing anything that would not directly benefit their bottom line?

More interestingly, how do we know which version of SSL is implemented in a given OS X?

Apple stated os x is unaffected. I don't think they use openssl

 

[tbrinkma]

Right.. you're an expert in the field for 20 years and you can't read a standard CVE?

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160

This has NOTHING to do with the version of Apache and everything to do with the version of SSL that Apache was compiled against.

How do I know? Because all week I have been managing a team which has been updating SSL and recompiling Apache on more than a thousand vulnerable servers.

And why were you, as you yourself said, "recompiling Apache on more than a thousand vulnerable servers"?

Because the version of Apache you were using was compiled against a vulnerable version of OpenSSL. Thus, unless you went out of your way to recompile Apache against an earlier, unaffected version of OpenSSL, your default, latest version of Apache is vulnerable due to this issue.

So, it *does*, indeed, have something to do with what version of Apache, or any number of other application, you're running, due to the fact that they are using the vulnerable version(s) of OpenSSL.

 

[tbrinkma]

Maybe you missed all the news of the fairly recent goto fail; bug?



Considering that Apple uses OpenSSL, just not the affected version, and that Windows is not directly affected at all, what exactly do you mean?







: snip :



Apple uses OpenSSL, just not the affected version.

Actually, as others have more thoroughly explained earlier in the thread, Apple does not use OpenSSL. It was deprecated, and replaced with SecureTransport (back with Lion?). The last version Apple used is still included in the OS X install so that third-party software which relied on it (back when it *was* the SSL library for OS X) will still function, not because anything Apple makes uses it.

----------

"Do you know why Apple services and products were not affected? Pure dumb luck.

Apple is just lazy."



Because they are lazy?



Out of pure dumb luck?

Did you just repeat what the OP wrote?

Nope. Apple transitioned to a different SSL/TLS library (SecureTransport) way back with the release of Lion because the OpenSSL library didn't maintain a stable API. Thus, maintaining compatibility with and support of OpenSSL required a lot of *unnecessary* work. (Avoiding unnecessary work is a sign of intelligence, not laziness.)

The version of OpenSSL included with modern OS X installs is there to maintain compatibility with third-party applications which relied on that library back when it *was* the supported SSL/TLS library in OS X. It was not updated to the current 1.x.x branch because that would have prevented compatibility with applications which were compiled against the older version, thus defeating the purpose of including it in the first place.

Not 'lazy', just software development done right.

 

[Luba]

Why didn't Apple release a statement to a bigger news outlet?

Why did Apple only release a statement to Re/code, a site that I never heard of until recently? It seems strange if they were going to release a statement, why wouldn't they release to a bigger news outlet like the Wall Street Journal?