back to article Apple says iOS, OS X is immune to Heartbleed SSL bug

Apple has reassured fanbois that its operating systems are not been affected by the apparently apocalyptic Heartbleed vulnerability. The OpenSSL bug has been terrifying the tech world all week, but apparently no one at Cupertino is that bothered about it. After taking a few days to check its security, the fruity firm joined …

COMMENTS

This topic is closed for new posts.
  1. Frank Zuiderduin

    That last sentence...

    Haven't laughed so much in years.

  2. Sander van der Wal
    Thumb Down

    If it is your own server, you can give yourself permission to test it. Even in the UK.

  3. Alister

    I gave myself permission to look at one of our Mac Book Airs.

    The reported version of openssl is 0.9.8 so that'll do me.

    1. NoneSuch Silver badge

      Ummm Alister...

      The reported "safe" version of OpenSSL is 1.0.1g released on 7 Apr. I'd take another look.

      1. LosD

        Any version _before_ 1.0.1 is also safe, as the heartbeat feature wasn't implemented until 1.0.1.

        1. big_D Silver badge
          Headmaster

          @LosD I'll give you an upvote, but the full sentence should be "Any version _before_ 1.0.1 is also safe from Heartbleed, as the heartbeat feature wasn't implemented until 1.0.1."

      2. Wensleydale Cheese
        Stop

        "The reported "safe" version of OpenSSL is 1.0.1g released on 7 Apr. I'd take another look."

        That's not the whole story. because the patch has been backported to previous versions.

        My Red Hat derivatives and Debian are running 1.0.1e and the patches for that arrived pretty promptly.

        Of course, anyone not running the latest will still be subject to other vulnerabilities which have been addressed in subsequent releases.

        1. Chemist

          "My Red Hat derivatives and Debian are running 1.0.1e and the patches for that arrived pretty promptly."

          Ditto for OpenSUSE

    2. Anonymous Coward
      Anonymous Coward

      The reported version of openssl is 0.9.8 so that'll do me.

      So, Apple lags so much in keeping its libraries up to date that even the most recent versions of its software are not affected by a 2 years-old bug.

      Security through obsolescence?

      The good news is, we'll only have to wait a few years to be able to use XP safely.

      1. Justin Pasher

        Re: The reported version of openssl is 0.9.8 so that'll do me.

        OpenSSL 0.9.8 is not "dead". Yes, it's the older branch, but it still receives major security fixes. Many systems still utilize it because it's been around for so much longer than the 1.0.x series, so it (should be) more stable.

        The biggest disadvantage of the 0.9.8 branch is that is doesn't support the newer ciphers suites.

        1. Your alien overlord - fear me

          Re: The reported version of openssl is 0.9.8 so that'll do me.

          Or newer technologies like heartbeat. Oh wait...

    3. Stretch

      Re: 0.9.8

      Check out all the things you are vulnerable to then:

      http://www.openssl.org/news/openssl-1.0.0-notes.html

      1. Wensleydale Cheese
        Thumb Up

        Re: 0.9.8

        Stretch,

        I did implied that but looking back at what I wrote I wasn't explicit enough. Thanks for adding the relevant link.

    4. ElReg!comments!Pierre

      > I gave myself permission to look at one of our Mac Book Airs

      And how do you reckon the vuln could have been exploited on your MBA anyway?

    5. Len

      iOS and OS X don't use OpenSSL. In fact, Apple even recommends developers not to use OpenSSL as they consider the API to be unstable.

      I assume the only reason they ship a (not vulnerable) version of OpenSSL is because some ports from Unix or Linux that users like to play around with themselves depend on it. This is why you can come across newer (vulnerable) versions of OpenSSL if you have updated Mac Ports some time between the creation of this bug and this week. Most normal users don't install Mac Ports so won't be vulnerable.

      The risk of this bug exists mainly server side anyway, OpenSSL clients are unlikely to suffer from this. That means that this security audit will not have focused on consumer iOS or OS X devices but on Apple's own cloud services. Apparently they haven't been using OpenSSL on their servers either.

      1. Anonymous Coward
        Anonymous Coward

        >but on Apple's own cloud services

        Which ran an unholy mix of Microsoft (immune) & Amazon (vulnerable) last we heard. I guess this confirms rumours that the balance has since shifted Azure's way and then some.

  4. ElReg!comments!Pierre
    WTF?

    Server-side vuln...

    I bet iOS and OS X are immune from smallpox and H1N1 too. Oh and rickets too.

    If that's all Apple PR dept found to make the headlines this week, that's weak.

    1. Anonymous Coward
      Anonymous Coward

      Re: Server-side vuln...

      Some seem to think security is about always making sure you're running the latest version of something. When in reality if you don't change functionality much and patch all the vulnerabilities it ends up being more secure.

      Why do you think NASA always lags behind with the CPUs they use in their projects? they wait for all the flaws and bugs to be documented and for compilers to be solid.

      1. This post has been deleted by its author

      2. Kanhef
        Boffin

        Re: Server-side vuln...

        NASA uses older chips because they have larger wire traces and other components, which are less vulnerable to interference from high-energy particles. Outside the earth's magnetosphere, solar and cosmic radiation are major problems.

    2. Fruit and Nutcase Silver badge
      Coat

      Re: Server-side vuln...

      >I bet iOS and OS X are immune from smallpox and H1N1 too. Oh and rickets too.

      Yes, everything bar Pancreatic cancer.

  5. IDoNotThinkSo
    Mushroom

    Доверяй, но проверяй.

    Trust, but verify.

  6. Anonymous Coward
    Anonymous Coward

    These are not the loads you're looking for

    Hey Jasper. I think you may have meant motherlode. Motherload probably means something rather different!

  7. Gordon 10

    Really?

    Their Products maybe safe-ish but have they really checked every web server? Im sure if we looked hard enough we could find a few that arent running Apple software but some other *nix.

  8. Chris Stephens
    FAIL

    Apple is misleading

    Apple is misleading people. While the OS might be not vulnerable to Heartbleed, the apps ARE vulnerable. This is confirmed by Crestron - a major home automation manufacturer. http://support.crestron.com/app/answers/detail/a_id/5471/kw/5471

    So its VERY important to report that while the OS of things like iPads/iPhones/laptops and windows machines may not be a issue, the apps and programs might be.

    For example, is Safari vulnerable ? So if a apple or windows browser visits a malicious web site can data be stolen from the machine visiting the server. Heartbleed works on clients too.

    Its its irresponsible to mislead consumers that thier products are not vulnerable when in fact they most likely have apps or software that is running on the device.

    1. Anonymous Coward
      Anonymous Coward

      Re: Apple is misleading

      How is Apple responsible for notifying people about the potential security issues of the million plus third party OS X or iOS apps? They simply said that iOS and OS X are not vulnerable. They don't have source, they wouldn't be able to determine which apps are vulnerable if they wanted to.

      If held to your ridiculous standards, every OS vendor out there is "vulnerable" forever because it is possible that someone may have a vulnerable app installed on their PC/phone today and may choose to never update it.

      If I replace the OEM tires in my car, and they sometimes blow up and cause fatal accidents so they get recalled, the manufacturer of my car isn't "vulnerable" to this defect. If asked they'll simply state their cars are not affected by the recall.

      1. Anonymous Coward
        Anonymous Coward

        Re: Apple is misleading

        "If held to your ridiculous standards, every OS vendor out there is "vulnerable" forever "

        And that is the message they should be communicating. Every responsible vendor is.

        If someone sees on the nightly news today "iOS and OSX are safe" they're going to go back to wantonly logging into their email, banking info, etc at internet cafes and other places, thinking they're immune because of Apple magic when really they are not.

        Apple should have said something like "While iOS and OSX are themselves safe, please be aware of the security or lack thereof of all apps, web sites and web service providers".

    2. Franklin

      Re: Apple is misleading

      "For example, is Safari vulnerable ? So if a apple or windows browser visits a malicious web site can data be stolen from the machine visiting the server. Heartbleed works on clients too."

      If you're using a Web browser to browse to a secure site, the security of the connection depends on the version of SSL running server-side. If some banking site somewhere is vulnerable, that's not Apple's fault, seems to me.

      Yes, anyone connecting to a vulnerable server is at risk. Apple hasn't said otherwise; what they said was "IOS and OS X never incorporated the vulnerable software and key Web-based services were not affected," which as near as I can tell seems to be true. (Mavericks, for instance, ships with OpenSSL 0.9.8y.)

      1. Anonymous Coward
        Anonymous Coward

        Re: Apple is misleading

        "If you're using a Web browser to browse to a secure site, the security of the connection depends on the version of SSL running server-side. If some banking site somewhere is vulnerable, that's not Apple's fault, seems to me.

        Yes, anyone connecting to a vulnerable server is at risk. Apple hasn't said otherwise; what they said was "IOS and OS X never incorporated the vulnerable software and key Web-based services were not affected," which as near as I can tell seems to be true. (Mavericks, for instance, ships with OpenSSL 0.9.8y.)"

        While true, I'd wager 99% of Apple's user base has no idea what any of that means. They just heard Apple say whatever they do is safe no matter what. So they will do just that.

  9. Mage Silver badge

    Remind me ...

    How long ago did Apple stop making servers?

    Is it 1% or 0.1% of Web Sites that run OS X?

    If you have no open inward ports [on firewall and/or no server services / daemons running] and don't access an evil Server how does the client matter?

    1. PJI

      Re: Remind me ...

      >>How long ago did Apple stop making servers?

      Depends upon what you mean, They may no longer sell hardware labelled, "server". But OSX is a BSD derivative and, just like any other UNIX or Linux, can be used to provide services (a server) with the addition of commonly available software, much of which is already installed anyway.

      Apple even sell "OS X Server" software in their app store, see https://itunes.apple.com/us/app/os-x-server/id714547929?mt=12 or any of the many reviews of it.

  10. Andrew Jones 2

    I have found this site quite good for testing - whether it is illegal or not in the UK is not my concern....

    http://filippo.io/Heartbleed/#apple.com

  11. csumpi
    Mushroom

    Apple's a fucking liar

    "All our systems are 100% secure."

    -- posted from my jailbroken idevice --

    1. PJI

      Re: Apple's a fucking liar

      Relevance? The most security-hardened computer product in the world is not immune to the silly owner, with full access to the device, breaking it by modifying or replacing the software with their own idiot versions.

      I suggest you see the source of your rogue software or examine your own conscience if you realise that jail-breaking has made the device insecure.

  12. Anonymous Coward
    Anonymous Coward

    IMMUNITY

    The only thing Apple is IMMUNE from is paying TAX.

  13. ewozza
    Thumb Down

    Nonsense

    Some apple apps have OpenSSL compiled into the app. In addition, many Apple apps communicate with server components on Linux machines. So suggesting iOS is "immune", while probably technically true, isn't the full story.

  14. Glen Turner 666

    macports

    If you use the popular macports to make your Mac more like another operating system then you might want to update the macports-managed software.

This topic is closed for new posts.

Other stories you might like