Printed from

Apple confirms its services not affected by 'Heartbleed' flaw

updated 08:42 pm EDT, Thu April 10, 2014

SSL bug could still be found in Mac servers running PostgreSQL, MacPorts, other add-ons

Apple has confirmed on Thursday that all of its operating systems and key web services, as well as its website and iCloud service, are not affected by the "Heartbleed" SSL flaw that is threatening much of the web. The "Heartbleed" bug, a flaw in the implementation of later versions of OpenSSL -- which is used by many but not all websites to handle secure log-ins and other transactions -- has put as much as two-thirds of the World Wide Web at risk.

The problem was found in the TLS/DTLS heartbeat extension in OpenSSL 1.0.1 and higher by Google security researcher Neel Mehta, and opens the protocol to compromise by allowing hackers to read up to 64kb of cached memory that may contain login credentials and other information. Emails and other notifications have already started arriving from companies and services on the web who have since patched the problem (version 1.0.1g was released earlier this week to correct the flaw), telling customers they will need to reset their passwords for any affected site.

"Apple takes security very seriously. OS X and iOS never incorporated the vulnerable software, and key web-based services were not affected," said an Apple spokesperson. However, OS X in particular is often used for web serving, with additional UNIX-based add-ons available that may still compromise homebrew servers. Users running MacPorts, PostgreSQL, BREW or certain other non-Apple serving add-ons may still be at risk of using the compromised OpenSSL version, and should upgrade or disable the services immediately.

Most major websites (Google, Facebook, Microsoft et cetera) have now implemented fixes for the flaw if they were running OpenSSL, or issued statements that they weren't running it in the first place, reports AppleInsider. Many sites, such as major banks as well as Apple, never used the technology and are thus unaffected by the problem, which has been deemed "critical" due to OpenSSL's widespread use on web servers.

Users are cautioned to be wary of "phishing" emails that may take advantage of the crisis to send fake "please reset your credentials" type messages. Readers are advised not to click any links directly in an email, and instead if one receives such a warning in an email to visit the site directly and change passwords there, once the site has verified that it has upgraded its OpenSSL or never used the flawed protocol.

Consumer and security advocates recommend routine changing of passwords every now and then anyway as a security precaution. They recommend using strong passwords make up of a combination of letters, cases and numbers -- and using a password manager like iCloud Keychain, 1Password or LastPass to generate, store and manage the strong passwords. Users need only remember the "master" password these programs employ in order to use them to fill in impossible-to-remember strong passwords, and the use of such a system allows users to easily change passwords if a situation like the "Heartbleed" issue should arise again.

By Electronista Staff


  1. mac_in_tosh

    Junior Member

    Joined: 12-14-11

    "Consumer and security advocates ... recommend using a password manager like iCloud Keychain, 1Password or LastPass to generate, store and manage the strong passwords. "

    And what happens when these are hacked? You give away everything in one shot.

  1. Spheric Harlot

    Clinically Insane

    Joined: 11-07-99

    iCloud Keychain being hacked is very, very, very unlikely:

    TidBITS: How to Protect Your iCloud Keychain from the NSA

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Apple 13-inch MacBook Pro (Early 2015)

Although the new darling of the Apple MacBook line up is the all-new MacBook, Apple has given its popular 13-inch MacBook Pro with Ret ...

Seagate Wireless

It seems like no matter how much internal storage is included today's mobile devices, we, as users, will always find a way to fill the ...

Lenovo Yoga Tablet 2 (Android, 10.1-inch)

Lenovo is building a bigger name for itself year after year, including its devices expanding beyond desktop computers. The company's l ...



Most Commented


Popular News