“iOS and OS X users can breathe a sigh of relief with the knowledge that their devices are not affected by the catastrophic OpenSSL Heartbleed security flaw — but if they’re using BBM for really private messages on iOS they might want to stop right now,” Liam Tung reports for ZDNet.
“Apple products don’t suffer from the bug that has prompted a fair chunk of the internet to race out patches to fix web servers, security hardware, routers and other products that relied on the OpenSSL implementation of the SSL/TLS standard for secured web communications,” Tung reports. “Heartbleed puts at risk pretty much anything that was protected by OpenSSL encryption, including passwords, private keys, and other sensitive details such as credit card details.”
“BlackBerry has now confirmed that several of its products, including BBM for iOS and Android were affected by the Heartbleed. BBM has about 80 million users,” Tung reports. “Other BlackBerry products affected include its rival to Samsung’s Knox, Secure Work Space for iOS and Android, and BlackBerry Link for Windows and Mac OS. BlackBerry doesn’t have a patch for any of the products yet, but worse yet there are “no mitigations” for the vulnerability in BBM or Secure Work Spaces… Google yesterday confirmed Android 4.1.1, Jelly Bean, was affected by the flaw and it was developing a patch and distributing it to Android partners… According to Google’s Android distribution dashboard 4.1.x accounts for about 35 percent of all Android devices.”
Read more in the full article here.
Related articles:
Apple on ‘Heartbleed’ bug: iPhone, iPad, Mac and iCloud unaffected – April 10, 2014
What to do about Heartbleed, a gaping security hole affecting 66 percent of the Internet (at least) – April 9, 2014
Open in all the wrong places.
(Copyright:MDN)
Open is just stupid and asking for trouble. Apple knew that and that’s why Apple doesn’t have the problem and everyone else does!
Apple’s FaceTime makes good use of open standards. From Wiki:
H.264 and AAC-ELD – video and audio codecs respectively.
SIP – IETF signaling protocol for VoIP.
STUN, TURN and ICE – IETF technologies for traversing firewalls and NAT.
RTP and SRTP – IETF standards for delivering real-time and encrypted media streams for VoIP.
Open standards aren’t bad, they’re just badly implemented. Apple has always been a champion of open standards and has a good relationship with those who foster an O standard environment.
Apple and Google though have different ideas of what the concept means.
I feel so safe in the strong walls of this garden, gripping me tight in its warm enclosure.
What I wish someone would explain is, what protocols is iOS/OS X using that bypasses any websites use of OpenSSL?
Does the fact that Apple is using something other than OpenSSL protect us even in an environment that uses OpenSSL?
OSX and iOS are using OpenSSL components, but on the 0.9.8 stream which isn’t vulnerable to the bug. The 1.0.1 stream is the one with the holes.
So Apple isn’t so as smart as fanboys above say … they are just behind in that software and they GOT LUCKY.
Or……they tested it before implementing and detected the flaw.
I think what G4Dualie is getting at is that in order for iOS/OS X to be completely safe using OpenSSL is that BOTH ends have to have a non-leaky implementation.. So unless you are accessing ONLY Apple approved websites/routers with your Apple device you are still vulnerable to the Heartbleed bug.
Apple /devices/ running OS X and iOS cannot be attacked because they are not vulnerable to Heartbleed.
Apple /users/ are as vulnerable as any other users and need to mitigate the danger based on what web sites hold their data. E.g. Dropbox was vulnerable but since patched their servers, so you should change your Dropbox password, and if you stored sensitive data there, put a freeze on your credit.
Yep, a lot of Google’s apps were vulnerable. If you’re on Gmail now’s the time to change your password.
Blackberry! Hey! No such thing as bad press right? 😉
Not seeing any headlines or TV stories mentioning Apple’s immunity. But if it wasn’t, you can be damn sure it would be front page news.
IOS nor OSX are not immune to attacks, even if this one does not affect them. So users should not be completely complacent, just read another article placed on MDN today. I also have had my virus scanner pick up problems a couple of years ago on my Mac. Its nowhere near as common as windows, but you only need to be caught once.
Ummm… while it’s true that iOS, OSx, Windows, and all but one version of Android (used in Germany) are all HeartBleed-free… what Apple refuses to admit and provide any help on is this truth:
A wide variety of APPS **are** vulnerable to HeartBleed, including apps from the Apple Store!
This is because Apps often embed their own copy of OpenSSL.
But because Apple is protective of their brand rather than their customers, they are silent on this important issue.
I’m watching for the first HeartBleed scanner app for iOS. This can affect phones, tablets, even iPods!