Printed from http://www.electronista.com

Apple confirms its services not affected by 'Heartbleed' flaw

updated 08:42 pm EDT, Thu April 10, 2014

SSL bug could still be found in Mac servers running PostgreSQL, MacPorts, other add-ons

Apple has confirmed on Thursday that all of its operating systems and key web services, as well as its website and iCloud service, are not affected by the "Heartbleed" SSL flaw that is threatening much of the web. The "Heartbleed" bug, a flaw in the implementation of later versions of OpenSSL -- which is used by many but not all websites to handle secure log-ins and other transactions -- has put as much as two-thirds of the World Wide Web at risk.

The problem was found in the TLS/DTLS heartbeat extension in OpenSSL 1.0.1 and higher by Google security researcher Neel Mehta, and opens the protocol to compromise by allowing hackers to read up to 64kb of cached memory that may contain login credentials and other information. Emails and other notifications have already started arriving from companies and services on the web who have since patched the problem (version 1.0.1g was released earlier this week to correct the flaw), telling customers they will need to reset their passwords for any affected site.

"Apple takes security very seriously. OS X and iOS never incorporated the vulnerable software, and key web-based services were not affected," said an Apple spokesperson. However, OS X in particular is often used for web serving, with additional UNIX-based add-ons available that may still compromise homebrew servers. Users running MacPorts, PostgreSQL, BREW or certain other non-Apple serving add-ons may still be at risk of using the compromised OpenSSL version, and should upgrade or disable the services immediately.



Most major websites (Google, Facebook, Microsoft et cetera) have now implemented fixes for the flaw if they were running OpenSSL, or issued statements that they weren't running it in the first place, reports AppleInsider. Many sites, such as major banks as well as Apple, never used the technology and are thus unaffected by the problem, which has been deemed "critical" due to OpenSSL's widespread use on web servers.

Users are cautioned to be wary of "phishing" emails that may take advantage of the crisis to send fake "please reset your credentials" type messages. Readers are advised not to click any links directly in an email, and instead if one receives such a warning in an email to visit the site directly and change passwords there, once the site has verified that it has upgraded its OpenSSL or never used the flawed protocol.

Consumer and security advocates recommend routine changing of passwords every now and then anyway as a security precaution. They recommend using strong passwords make up of a combination of letters, cases and numbers -- and using a password manager like iCloud Keychain, 1Password or LastPass to generate, store and manage the strong passwords. Users need only remember the "master" password these programs employ in order to use them to fill in impossible-to-remember strong passwords, and the use of such a system allows users to easily change passwords if a situation like the "Heartbleed" issue should arise again.



By Electronista Staff
toggle

Comments

  1. mac_in_tosh

    Fresh-Faced Recruit

    Joined: 12-14-11

    "Consumer and security advocates ... recommend using a password manager like iCloud Keychain, 1Password or LastPass to generate, store and manage the strong passwords. "

    And what happens when these are hacked? You give away everything in one shot.

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    iCloud Keychain being hacked is very, very, very unlikely:

    TidBITS: How to Protect Your iCloud Keychain from the NSA

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

D-Link Wi-Fi Smart Plug

Home automation fans have been getting their fair share of gadgets and accessories in the last few years. Starting with light bulbs, a ...

Razer Kraken Pro headset

Gaming headphones are a challenge to get right, for a long list of reasons that are unique to the consumer buying them. Some shoppers ...

Patriot Aero Wireless Mobile Drive

Regardless of how large a tablet you buy, you always want more space. There's always one more movie or another album you'd cram on, if ...

Sponsor

toggle

Most Commented

 
toggle

Popular News