Apple on ‘Heartbleed’ bug: iPhone, iPad, Mac and iCloud unaffected

“Apple said Thursday that its mobile, desktop and Web services weren’t affected by a major flaw in a widely used set of Web security software that could have affected hundreds of thousands of websites,” Mike Isaac reports for Re/code.

“The flaw, codenamed ‘Heartbleed’ and first reported by Web security firm Codenomicon, was discovered in a technology called ‘OpenSSL’ — a set of encryption software used by Web companies to safeguard user information,” Bort reports. “Sites that use OpenSSL will display a small ‘lock’ icon in the top left-hand corner of your Web browser’s address bar (though not all sites showing this lock use OpenSSL); the technology is used on more than two-thirds of websites across the Internet.”

“‘Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key Web-based services were not affected,’ an Apple spokesperson told Re/code,” Bort reports. “Apple’s statement comes in the days after the disclosure rocked companies and Web security wonks across the world; security expert Bruce Schneier called Heartbleed “catastrophic” in a blog post this week. ‘On the scale of 1 to 10, this is an 11,’ he wrote.”

Read more in the full article here.

Related article:
What to do about Heartbleed, a gaping security hole affecting 66 percent of the Internet (at least) – April 9, 2014

49 Comments

    1. Korea seems to be a zombie nation all right where everyone must revere and bow to the supreme CEO J.K. Shin in spite of his dropping smartphone sales and profits.

    2. Uh…iOS 7 works fine. Unless you are part of the entitled, teenbrat Millenial generation, then you can buy yourself an Android, and leave us alone.

      1. Apollonia, it’s ironic that you sound a lot like what you are criticizing. Let me rewrite your post for you…

        “Uh…iOS 7 works fine. Go buy yourself an Android, and leave us alone.”

        I’d suggest that makes your point, and does so strongly. The rest just sounds like a petulant whining brat and adds nothing.

  1. The only reason Apple servers are unaffected is because Apple was behind the times in upgrading OpenSSL. Only the newer version of the software contains the bug. This is a case of “you snooze, you win.” 8^)

    1. As I pointed out in some other thread, that’s not necessarily the case. When there are different ‘branches’ off an original open source project, the branches need not be ‘better’ than the continuing original branch.

      Some further examples:

      – VLC: There was a point where there were essentially NO Mac developers for VLC. It had ground to a total halt for the Mac. In France, they started a new ‘branch’ called ‘Lunettes’ in hopes of continuing VLC. Thankfully, after a couple months (was it the spring of 2012?) a gang of Mac developers rallied and kickstarted the original branch for Mac, catching up with the Windows and Linux code. That meant the Lunettes branch died.

      – OpenOffice: Having purchased Sun Microsystems, Oracle proceeded to denigrate all their software project. The OpenOffice open source project was no exception. (I hate you Oracle). On the Mac side, the NeoOffice branch was started in order to provide a more Mac GUI experience than the bare UNIX looking GUI of OpenOffice. Then, within a few months of each other, NeoOffice refused to compile their code for users unless they paid a hostage ‘donation’ to the project. Meanwhile, a large group of OpenOffice contributors started the LibreOffice branch in order to progress the software, which was dead stagnating under Oracle’s rule. They offered to donate their code into the OpenOffice original branch, but stupid Oracle told them to F*k off. So the LibreOffice folks did, and left OpenOffice in the dirt. That meant the NeoOffice branch was also left in the dirt. So if you put up with the hostage situation with NeoOffice, you were screwed. If you put up with OpenOffice, you were screwed.

      And so forth. This is geekdom. It’s not our usual pedestrian form of reality. I’ll spare you talking about MacPorts and Fink, X11 and XQuartz.

      1. Maybe I’m alone here, but I actually like OpenOffice better than LibreOffce. They are nearly identical, but the differences I see is that OpenOffice seems to work faster and be less buggy. LibreOffce also bugs me to install updates like every month, which never have noticeable changes and take too long to download & install.

        1. Fair enough! But at least on paper, LibreOffice is well beyond the features of OpenOffice. Whether those features you care about is another matter.

          I can certainly verify that early on LibreOffice was a bombing nightmare. But I’ve only seen one version bomb over the last year and a half.

    2. My company was for the most unaffected too, because we haven’t updated most of our servers software in a couple years. Ironically, it’s the few clients who insisted on upgrades to pass security audits that were affected.

  2. For the newbies etc.: The ‘Heartbleed’ bug is only relevant to servers. As client computer users, we have nothing to do with the problem. We have nothing to fix. Only server administrators have the bug.

    The sad news: All of us are left having to change the passwords we have on all affected servers that have patched the bug. Not kidding. Change all our passwords. EXCEPT not yet.

    Somehow, we’re supposed to find out which servers were affected AND which of those have been patched. I’m not convinced at this point that this is going to be possible.

    Ars Technica did a stellar job this week informing their users about the problem, patching it immediately, then telling everyone to change their password there NOW.

    Is every other server admin on the Internet going to do the same? NO. Thus the MDN term ‘IT Doofus’. *sigh*

    There is a website where you can test whether a particular server is STILL affected by ‘Heartbleed’:

    http://filippo.io/Heartbleed/

    Except the results, about 50% of the time, are error messages related to how that server is configured in order to prevent being probed by the script used at this testing website, and other problems. So MEH.

    1. Derek, your reply here was dangerously wrong. CLIENT computers (even iPhone, iPad, iPod) can contain server apps. Everything from file/video sharing to instant messaging and more.

      Apple is no different from Microsoft or even most versions of Android in this: the host OS is generally immune (except for one version of Android mostly found in Germany)…

      But the APPS are not immune because they often embed their own copy of the OpenSSL library. YES including apps at the Apple store.

      1. MrPete: You’re correct that there can be server applications on any computer. But the only Apple device that directly used OpenSSL v1.0.1, the affected version, turned out to be Apple’s AirPort Extreme Base Station.

        As for Android version 4.1 (which has the OpenSSL Bug) being found mostly in Germany: NO. Where did that nonsense come from?

        I’d be interested in there being a complete list of Server applications on all platforms affected by the OpenSSL Bug. Of course, we also require a complete list of websites affected by the OpenSSL Bug along with a checklist as to whether they have been patched. At this time we have only a rudimentary list at a couple helpful websites.

        I have no doubt that the ramifications of this dangerous security hole will be going on for years.

        1. Derek, even Apple’s devices aren’t limited to AirPort Extreme. I sure hope they get a LOT more public with this. They may face liability challenges through such ongoing neglect.

          Devices: both AirPort Extreme and TimeCapsule are affected, due to the “Back To My Mac” feature. http://recode.net/2014/04/22/apple-issues-security-fixes-for-ios-mac-and-airport-extreme/

          Android: various sources have surveyed actual deployment of the vulnerable 4.1/4.1.1 and found the vast majority are in Germany. Look it up.

          Apps: it’s far more than what we think of as “server” applications, because HeartBleed affects a lot of secure online protocols. SMTP/POP3/IMAP (secure email), OpenVPN, and more.

          So, for example:
          * Popular Mac database FileMaker Pro is vulnerable. http://help.filemaker.com/app/answers/detail/a_id/13384/~/filemaker-products-and-the-heartbleed-bug
          * Call of Duty (game) is vulnerable. http://www.theregister.co.uk/2014/04/10/call_of_duty_heartbleed_fragging/
          * Libre Office (word processings, spreadsheets, etc) http://www.libreoffice.org/about-us/security/advisories/cve-2014-0160/

          Starting to get the picture? We **really** need a scanner for Apple Store iOS apps, similar to what’s available already on other platforms.

        2. Apple would do well to follow the lead of other vendors who are being far more careful about this.

          Cisco is diligently working through all of their products. Only 20% have been found vulnerable so far, but that’s 60+ products. http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

          The company that impresses the heck out of me: Akamai. Long ago they saw the risk of such memory-leak bugs and designed their own secure memory heap. They implemented it in all open source software that they use, including OpenSSL.

          Most companies would stop there, confident that they couldn’t possibly be vulnerable. Not Akamai, They have taken the time to go back and rebuild every single version of their production platform since early 2012 and test it for vulnerability.

          Akamai discovered that in spite of their special security protection, for nine days in early 2013 their systems were vulnerable to HeartBleed, affecting ~350 customers. So they’ve replaced the security keys for those customers.

          THAT is great customer care. (No, I’m not their customer and have no interest…) https://blogs.akamai.com/2014/04/heartbleed-update.html

            1. Huh? Why would you say that? Look at the links I provided, and compare the transparency of these other leading vendors with what Apple is (and is not) saying.

              I have lots of friends who work for Apple, and use Apple. I have several Apple servers here in my office, etc etc. I care.

              Putting your head in the sand is not going to solve anything.

          1. Derek, you completely ignored the “tech news” in my first reply, the one you must have read if you got to “Apple would be well served…”

            Hard to admit you were factually wrong? I supplied Real Facts, with links. Please read the news more carefully and stop misinforming people. I’ve provided factual links above.

            Here’s another link, direct from Apple’s own developer documentation. This one proves why it is no surprise that apps in their own store are vulnerable.

            https://developer.apple.com/library/ios/documentation/Security/Conceptual/cryptoservices/GeneralPurposeCrypto/GeneralPurposeCrypto.html

            I quote: “If your app depends on OpenSSL, you should compile OpenSSL yourself and statically link a known version of OpenSSL into your app. This use of OpenSSL is possible on both OS X and iOS.”

            Thus, while Apple does not encourage use of OpenSSL, they absolutely allow it. And it has been done even in apps from Apple (see above eg FileMaker)

  3. You guys will have to take note of the AndroidTrolls visiting Apple related sites. They wil say “oh iOS 7 is a flop” “oh iPhone does even hv a removable battery” “no nfc” “only 8 mp cam” and all the bullshit.

  4. /iphone-online-training

    Hyderabadsys iphone online training completely unique & genuine training programe instution.so we give any one student to software cource 100% genine.Hyderbadsys iphone online training completely IT sector.we have lot of employes are working hear.so we can give practical knowledge to the students. after complete the course we give with certification, so it is useful to select multy national companies easily. Hyderbadsys iphone online training charge fees is economical cost,compare to other training instutions. Hyderbadsys iphone online training give complete live projects to the students.it is vey useful to the students.
    Hyderbadsys iphone online training have superb trainer to the students Hyderbadsys iphone online training on the web training give a best training for oracle oaf in India. so we’re prepared to give best training to students. so student have any doughts easily can clarify. we have lot of batches. hence students can take any batch, for that student convince. so he can select any batch. Hyderbadsys iphone online training E-Training give teaching to the all students 24/7 per day. A solid strategy for entering, cleanup and updating the information for the sales force online training
    +India: +91 9030400777
    Usa: +1-347-606-2716
    Email: contact@Hyderabadsys.com

    #201, Near by RTO office,
    Kondapur, Hitech city,
    Hyderabad, 500084,India.

  5. I’m sorry I know this is probably a very stupid question but I don’t understand any of this. If I log into my mint app is that the same as logging into mint.com? I really don’t use a real computer for anything and am basically on my phone for everything. Most things I have an app for. I haven’t been able to find an answer to if apps are susceptible to this or if my browsing on my phone was hacked.

    1. Possibly, if Mint uses the vulnerable Open SSL tech. Your phone app talks to Mint’s servers, just as a browser does. Since the bug is on the server side, the possibility exists. I don’t know if Mint has communicated anything about its status.

    2. Let me give it a shot at explaining.

      All these online services, from G-mail, to iCloud, to Mint.com, to Amazon, to GrubHub, etc, require you to register online and then log into their websites in order to use their services. When you log in, you provide user name and password. These two are transmitted using an encrypted connection. This encryption is facilitated by technology called OpenSSL. We now know that OpenSSL has this ‘Heartbleed’ bug that allows hackers to decrypt this communication and freely access our user IDs and passwords on those servers which use OpenSSL for secure connection.

      If Mint.com uses OpenSSL, then that means that your Mint.com user ID and password may have already been compromised in Mint.com servers (Mint.com is part of ‘Intuit’ brand, makers of ‘Quicken’). Furthermore, every time you connect to Mint.com, either by visiting the site from your web browser, or accessing your mobile App on the iPhone, your user ID and password are sent using OpenSSL, which allows hackers to see them clearly.

      I hope this answers your question.

    1. That is completely irrelevant. How will apps tied to the cloud affect the connection via OpenSSL? Apple’s iCloud is apparently not affected, since Apple does NOT use OpenSSL (or so they say).

      There are many apps that don’t require users to register on their web sites. However, they may save content created inside the app on the iCloud. This data will never touch OpenSSL connection.

      On the flip side, there are many apps that require registration and login before they can work properly (such as above-mentioned Mint.com). Such apps may be compromised, if the servers they are logging into are using OpenSSL. Yet, these apps don’t save any data on the iCloud. So, how is connection to the iCloud really relevant to the vulnerability of OpenSSL???

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.