updated 08:42 pm EDT, Thu April 10, 2014
SSL bug could still be found in Mac servers running PostgreSQL, MacPorts, other add-ons
Apple has confirmed on Thursday that all of its operating systems and key web services, as well as its website and iCloud service, are not affected by the "Heartbleed" SSL flaw that is threatening much of the web. The "Heartbleed" bug, a flaw in the implementation of later versions of OpenSSL -- which is used by many but not all websites to handle secure log-ins and other transactions -- has put as much as two-thirds of the World Wide Web at risk.
The problem was found in the TLS/DTLS heartbeat extension in OpenSSL 1.0.1 and higher by Google security researcher Neel Mehta, and opens the protocol to compromise by allowing hackers to read up to 64kb of cached memory that may contain login credentials and other information. Emails and other notifications have already started arriving from companies and services on the web who have since patched the problem (version 1.0.1g was released earlier this week to correct the flaw), telling customers they will need to reset their passwords for any affected site.
"Apple takes security very seriously. OS X and iOS never incorporated the vulnerable software, and key web-based services were not affected," said an Apple spokesperson. However, OS X in particular is often used for web serving, with additional UNIX-based add-ons available that may still compromise homebrew servers. Users running MacPorts, PostgreSQL, BREW or certain other non-Apple serving add-ons may still be at risk of using the compromised OpenSSL version, and should upgrade or disable the services immediately.
Most major websites (Google, Facebook, Microsoft et cetera) have now implemented fixes for the flaw if they were running OpenSSL, or issued statements that they weren't running it in the first place, reports AppleInsider. Many sites, such as major banks as well as Apple, never used the technology and are thus unaffected by the problem, which has been deemed "critical" due to OpenSSL's widespread use on web servers.
Users are cautioned to be wary of "phishing" emails that may take advantage of the crisis to send fake "please reset your credentials" type messages. Readers are advised not to click any links directly in an email, and instead if one receives such a warning in an email to visit the site directly and change passwords there, once the site has verified that it has upgraded its OpenSSL or never used the flawed protocol.
Consumer and security advocates recommend routine changing of passwords every now and then anyway as a security precaution. They recommend using strong passwords make up of a combination of letters, cases and numbers -- and using a password manager like iCloud Keychain, 1Password or LastPass to generate, store and manage the strong passwords. Users need only remember the "master" password these programs employ in order to use them to fill in impossible-to-remember strong passwords, and the use of such a system allows users to easily change passwords if a situation like the "Heartbleed" issue should arise again.