Printed from

Apple releases OpenSSL fix for 2013 Airport Extreme, Time Capsule

updated 07:57 pm EDT, Tue April 22, 2014

Company mostly untouched by Heartbleed bug, with one exception

On Tuesday, Apple -- which had previously said none of its key software, operating systems, websites or web services had been affected by the Heartbleed OpenSSL security flaw -- issued a patch to its 2013 (only) Airport Extreme and Time Capsule products that support 802.11ac to fix the issue. The 2013 Airport Express is not affected by the bug, and does not require the update. The patch boosts the firmware version on the Extreme and Time Capsule to 7.7.3 and "provides security improvements related to SSL/TLS."

The release note does not directly mention the OpenSSL bug directly, and even on the affected units, users would have had to have had "Send Diagnostics" or "Back to My Mac" turned on. The bug does not affect OS X or iOS, nor the company's websites or iCloud services, none of which ever used the updated versions of OpenSSL that were found to be flawed.

"An out-of-bounds read issue existed in the OpenSSL library when handling TLS heartbeat extension packets," said Apple in its release notes. "An attacker in a privileged network position could obtain information from process memory. This issue was addressed through additional bounds checking. Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue."

It is possible the company simply overlooked its 802.11ac routers until reports of other routers being affected by the bug surfaced. Updates for the iOS versions of Pages, Numbers and Keynote -- all of which can send documents to iCloud -- also appeared today, and the update may possibly have a connection to the Airport patch.

The flaw, which mostly affected web servers, caused millions of users to have to change passwords on key sites, since the sites could not be certain that their systems hadn't been compromised. The technology is used to secure communications between devices and websites by encrypting transmissions, but researchers discovered that it was possible -- albeit unlikely -- to recover the decrypted information in the RAM cache of the receiving website, making it theoretically possible to recovery user credentials and other sensitive data. Most websites moved quickly to fix the issue and alert users to change passwords, even though there is little evidence that the flaw was exploited widely during the nearly two years it sat undiscovered.

Other devices that used or installed the flawed OpenSSL versions could also be affected by the bug. This has turned out to reveal that a number of Android phones and routers used it, including the HTC One smartphone and some Cisco routers, among other devices. Macs could also be affected if users installed their own (flawed) version of OpenSSL as an updated to the (unaffected) earlier version that is in place by default.

By Electronista Staff
Post tools:




Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines


Most Popular


Recent Reviews

Seagate Wireless

It seems like no matter how much internal storage is included today's mobile devices, we, as users, will always find a way to fill the ...

Lenovo Yoga Tablet 2 (Android, 10.1-inch)

Lenovo is building a bigger name for itself year after year, including its devices expanding beyond desktop computers. The company's l ...

Brother HL-L8250CDN Color Laser Printer

When it comes to selecting a printer, the process is not exactly something most people put a lot of thought into. Printers are often t ...



Most Commented


Popular News