Printed from http://www.electronista.com

Apple releases OpenSSL fix for 2013 Airport Extreme, Time Capsule

updated 07:57 pm EDT, Tue April 22, 2014

Company mostly untouched by Heartbleed bug, with one exception

On Tuesday, Apple -- which had previously said none of its key software, operating systems, websites or web services had been affected by the Heartbleed OpenSSL security flaw -- issued a patch to its 2013 (only) Airport Extreme and Time Capsule products that support 802.11ac to fix the issue. The 2013 Airport Express is not affected by the bug, and does not require the update. The patch boosts the firmware version on the Extreme and Time Capsule to 7.7.3 and "provides security improvements related to SSL/TLS."

The release note does not directly mention the OpenSSL bug directly, and even on the affected units, users would have had to have had "Send Diagnostics" or "Back to My Mac" turned on. The bug does not affect OS X or iOS, nor the company's websites or iCloud services, none of which ever used the updated versions of OpenSSL that were found to be flawed.

"An out-of-bounds read issue existed in the OpenSSL library when handling TLS heartbeat extension packets," said Apple in its release notes. "An attacker in a privileged network position could obtain information from process memory. This issue was addressed through additional bounds checking. Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue."

It is possible the company simply overlooked its 802.11ac routers until reports of other routers being affected by the bug surfaced. Updates for the iOS versions of Pages, Numbers and Keynote -- all of which can send documents to iCloud -- also appeared today, and the update may possibly have a connection to the Airport patch.

The flaw, which mostly affected web servers, caused millions of users to have to change passwords on key sites, since the sites could not be certain that their systems hadn't been compromised. The technology is used to secure communications between devices and websites by encrypting transmissions, but researchers discovered that it was possible -- albeit unlikely -- to recover the decrypted information in the RAM cache of the receiving website, making it theoretically possible to recovery user credentials and other sensitive data. Most websites moved quickly to fix the issue and alert users to change passwords, even though there is little evidence that the flaw was exploited widely during the nearly two years it sat undiscovered.

Other devices that used or installed the flawed OpenSSL versions could also be affected by the bug. This has turned out to reveal that a number of Android phones and routers used it, including the HTC One smartphone and some Cisco routers, among other devices. Macs could also be affected if users installed their own (flawed) version of OpenSSL as an updated to the (unaffected) earlier version that is in place by default.



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Sound Blaster Roar Bluetooth speaker

There could very well be a new king of the hill for Bluetooth speakers, with Sound Blaster's recent entry into the marketplace. Bringi ...

Kenu Airframe Plus

Simple, stylish and effective, the Kenu Airframe + portable car mount is the latest addition to Kenu's lineup. Released earlier this y ...

Plantronics Rig Surround 7.1 headset

Trying to capture the true soundscape of video games can be a daunting task. Looking to surround-sound home theater options, users hav ...

Sponsor

toggle

Most Commented

 
toggle

Popular News