Printed from http://www.electronista.com

Apple confirms its services not affected by 'Heartbleed' flaw

updated 08:42 pm EDT, Thu April 10, 2014

SSL bug could still be found in Mac servers running PostgreSQL, MacPorts, other add-ons

Apple has confirmed on Thursday that all of its operating systems and key web services, as well as its website and iCloud service, are not affected by the "Heartbleed" SSL flaw that is threatening much of the web. The "Heartbleed" bug, a flaw in the implementation of later versions of OpenSSL -- which is used by many but not all websites to handle secure log-ins and other transactions -- has put as much as two-thirds of the World Wide Web at risk.

The problem was found in the TLS/DTLS heartbeat extension in OpenSSL 1.0.1 and higher by Google security researcher Neel Mehta, and opens the protocol to compromise by allowing hackers to read up to 64kb of cached memory that may contain login credentials and other information. Emails and other notifications have already started arriving from companies and services on the web who have since patched the problem (version 1.0.1g was released earlier this week to correct the flaw), telling customers they will need to reset their passwords for any affected site.

"Apple takes security very seriously. OS X and iOS never incorporated the vulnerable software, and key web-based services were not affected," said an Apple spokesperson. However, OS X in particular is often used for web serving, with additional UNIX-based add-ons available that may still compromise homebrew servers. Users running MacPorts, PostgreSQL, BREW or certain other non-Apple serving add-ons may still be at risk of using the compromised OpenSSL version, and should upgrade or disable the services immediately.



Most major websites (Google, Facebook, Microsoft et cetera) have now implemented fixes for the flaw if they were running OpenSSL, or issued statements that they weren't running it in the first place, reports AppleInsider. Many sites, such as major banks as well as Apple, never used the technology and are thus unaffected by the problem, which has been deemed "critical" due to OpenSSL's widespread use on web servers.

Users are cautioned to be wary of "phishing" emails that may take advantage of the crisis to send fake "please reset your credentials" type messages. Readers are advised not to click any links directly in an email, and instead if one receives such a warning in an email to visit the site directly and change passwords there, once the site has verified that it has upgraded its OpenSSL or never used the flawed protocol.

Consumer and security advocates recommend routine changing of passwords every now and then anyway as a security precaution. They recommend using strong passwords make up of a combination of letters, cases and numbers -- and using a password manager like iCloud Keychain, 1Password or LastPass to generate, store and manage the strong passwords. Users need only remember the "master" password these programs employ in order to use them to fill in impossible-to-remember strong passwords, and the use of such a system allows users to easily change passwords if a situation like the "Heartbleed" issue should arise again.



By Electronista Staff
toggle

Comments

  1. mac_in_tosh

    Junior Member

    Joined: 12-14-11

    "Consumer and security advocates ... recommend using a password manager like iCloud Keychain, 1Password or LastPass to generate, store and manage the strong passwords. "

    And what happens when these are hacked? You give away everything in one shot.

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    iCloud Keychain being hacked is very, very, very unlikely:

    TidBITS: How to Protect Your iCloud Keychain from the NSA

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Kenu Airframe Plus

Simple, stylish and effective, the Kenu Airframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this y ...

Plantronics Rig Surround 7.1 headset

Trying to capture the true soundscape of video games can be a daunting task. Looking to surround-sound home theater options, users hav ...

Adesso Compagno X Bluetooth keyboard

The shift from typing on physical keyboards to digital versions on smartphones and tablets hasn't been an easy for many consumers. Fro ...

Sponsor

toggle

Most Commented

 
toggle

Popular News