That last sentence...
Haven't laughed so much in years.
Apple has reassured fanbois that its operating systems are not been affected by the apparently apocalyptic Heartbleed vulnerability. The OpenSSL bug has been terrifying the tech world all week, but apparently no one at Cupertino is that bothered about it. After taking a few days to check its security, the fruity firm joined …
Haven't laughed so much in years.
If it is your own server, you can give yourself permission to test it. Even in the UK.
I gave myself permission to look at one of our Mac Book Airs.
The reported version of openssl is 0.9.8 so that'll do me.
The reported "safe" version of OpenSSL is 1.0.1g released on 7 Apr. I'd take another look.
Any version _before_ 1.0.1 is also safe, as the heartbeat feature wasn't implemented until 1.0.1.
So, Apple lags so much in keeping its libraries up to date that even the most recent versions of its software are not affected by a 2 years-old bug.
Security through obsolescence?
The good news is, we'll only have to wait a few years to be able to use XP safely.
"The reported "safe" version of OpenSSL is 1.0.1g released on 7 Apr. I'd take another look."
That's not the whole story. because the patch has been backported to previous versions.
My Red Hat derivatives and Debian are running 1.0.1e and the patches for that arrived pretty promptly.
Of course, anyone not running the latest will still be subject to other vulnerabilities which have been addressed in subsequent releases.
Check out all the things you are vulnerable to then:
> I gave myself permission to look at one of our Mac Book Airs
And how do you reckon the vuln could have been exploited on your MBA anyway?
iOS and OS X don't use OpenSSL. In fact, Apple even recommends developers not to use OpenSSL as they consider the API to be unstable.
I assume the only reason they ship a (not vulnerable) version of OpenSSL is because some ports from Unix or Linux that users like to play around with themselves depend on it. This is why you can come across newer (vulnerable) versions of OpenSSL if you have updated Mac Ports some time between the creation of this bug and this week. Most normal users don't install Mac Ports so won't be vulnerable.
The risk of this bug exists mainly server side anyway, OpenSSL clients are unlikely to suffer from this. That means that this security audit will not have focused on consumer iOS or OS X devices but on Apple's own cloud services. Apparently they haven't been using OpenSSL on their servers either.
@LosD I'll give you an upvote, but the full sentence should be "Any version _before_ 1.0.1 is also safe from Heartbleed, as the heartbeat feature wasn't implemented until 1.0.1."
"My Red Hat derivatives and Debian are running 1.0.1e and the patches for that arrived pretty promptly."
Ditto for OpenSUSE
OpenSSL 0.9.8 is not "dead". Yes, it's the older branch, but it still receives major security fixes. Many systems still utilize it because it's been around for so much longer than the 1.0.x series, so it (should be) more stable.
The biggest disadvantage of the 0.9.8 branch is that is doesn't support the newer ciphers suites.
Or newer technologies like heartbeat. Oh wait...
I did implied that but looking back at what I wrote I wasn't explicit enough. Thanks for adding the relevant link.
>but on Apple's own cloud services
Which ran an unholy mix of Microsoft (immune) & Amazon (vulnerable) last we heard. I guess this confirms rumours that the balance has since shifted Azure's way and then some.
I bet iOS and OS X are immune from smallpox and H1N1 too. Oh and rickets too.
If that's all Apple PR dept found to make the headlines this week, that's weak.
Some seem to think security is about always making sure you're running the latest version of something. When in reality if you don't change functionality much and patch all the vulnerabilities it ends up being more secure.
Why do you think NASA always lags behind with the CPUs they use in their projects? they wait for all the flaws and bugs to be documented and for compilers to be solid.
NASA uses older chips because they have larger wire traces and other components, which are less vulnerable to interference from high-energy particles. Outside the earth's magnetosphere, solar and cosmic radiation are major problems.
>I bet iOS and OS X are immune from smallpox and H1N1 too. Oh and rickets too.
Yes, everything bar Pancreatic cancer.
Trust, but verify.
Hey Jasper. I think you may have meant motherlode. Motherload probably means something rather different!
Their Products maybe safe-ish but have they really checked every web server? Im sure if we looked hard enough we could find a few that arent running Apple software but some other *nix.
Apple is misleading people. While the OS might be not vulnerable to Heartbleed, the apps ARE vulnerable. This is confirmed by Crestron - a major home automation manufacturer. http://support.crestron.com/app/answers/detail/a_id/5471/kw/5471
So its VERY important to report that while the OS of things like iPads/iPhones/laptops and windows machines may not be a issue, the apps and programs might be.
For example, is Safari vulnerable ? So if a apple or windows browser visits a malicious web site can data be stolen from the machine visiting the server. Heartbleed works on clients too.
Its its irresponsible to mislead consumers that thier products are not vulnerable when in fact they most likely have apps or software that is running on the device.
How is Apple responsible for notifying people about the potential security issues of the million plus third party OS X or iOS apps? They simply said that iOS and OS X are not vulnerable. They don't have source, they wouldn't be able to determine which apps are vulnerable if they wanted to.
If held to your ridiculous standards, every OS vendor out there is "vulnerable" forever because it is possible that someone may have a vulnerable app installed on their PC/phone today and may choose to never update it.
If I replace the OEM tires in my car, and they sometimes blow up and cause fatal accidents so they get recalled, the manufacturer of my car isn't "vulnerable" to this defect. If asked they'll simply state their cars are not affected by the recall.
"For example, is Safari vulnerable ? So if a apple or windows browser visits a malicious web site can data be stolen from the machine visiting the server. Heartbleed works on clients too."
If you're using a Web browser to browse to a secure site, the security of the connection depends on the version of SSL running server-side. If some banking site somewhere is vulnerable, that's not Apple's fault, seems to me.
Yes, anyone connecting to a vulnerable server is at risk. Apple hasn't said otherwise; what they said was "IOS and OS X never incorporated the vulnerable software and key Web-based services were not affected," which as near as I can tell seems to be true. (Mavericks, for instance, ships with OpenSSL 0.9.8y.)
"If held to your ridiculous standards, every OS vendor out there is "vulnerable" forever "
And that is the message they should be communicating. Every responsible vendor is.
If someone sees on the nightly news today "iOS and OSX are safe" they're going to go back to wantonly logging into their email, banking info, etc at internet cafes and other places, thinking they're immune because of Apple magic when really they are not.
Apple should have said something like "While iOS and OSX are themselves safe, please be aware of the security or lack thereof of all apps, web sites and web service providers".
"If you're using a Web browser to browse to a secure site, the security of the connection depends on the version of SSL running server-side. If some banking site somewhere is vulnerable, that's not Apple's fault, seems to me.
Yes, anyone connecting to a vulnerable server is at risk. Apple hasn't said otherwise; what they said was "IOS and OS X never incorporated the vulnerable software and key Web-based services were not affected," which as near as I can tell seems to be true. (Mavericks, for instance, ships with OpenSSL 0.9.8y.)"
While true, I'd wager 99% of Apple's user base has no idea what any of that means. They just heard Apple say whatever they do is safe no matter what. So they will do just that.
How long ago did Apple stop making servers?
Is it 1% or 0.1% of Web Sites that run OS X?
If you have no open inward ports [on firewall and/or no server services / daemons running] and don't access an evil Server how does the client matter?
>>How long ago did Apple stop making servers?
Depends upon what you mean, They may no longer sell hardware labelled, "server". But OSX is a BSD derivative and, just like any other UNIX or Linux, can be used to provide services (a server) with the addition of commonly available software, much of which is already installed anyway.
Apple even sell "OS X Server" software in their app store, see https://itunes.apple.com/us/app/os-x-server/id714547929?mt=12 or any of the many reviews of it.
I have found this site quite good for testing - whether it is illegal or not in the UK is not my concern....
"All our systems are 100% secure."
-- posted from my jailbroken idevice --
Relevance? The most security-hardened computer product in the world is not immune to the silly owner, with full access to the device, breaking it by modifying or replacing the software with their own idiot versions.
I suggest you see the source of your rogue software or examine your own conscience if you realise that jail-breaking has made the device insecure.
The only thing Apple is IMMUNE from is paying TAX.
Some apple apps have OpenSSL compiled into the app. In addition, many Apple apps communicate with server components on Linux machines. So suggesting iOS is "immune", while probably technically true, isn't the full story.
If you use the popular macports to make your Mac more like another operating system then you might want to update the macports-managed software.