That last sentence...
Haven't laughed so much in years.
Apple has reassured fanbois that its operating systems are not been affected by the apparently apocalyptic Heartbleed vulnerability. The OpenSSL bug has been terrifying the tech world all week, but apparently no one at Cupertino is that bothered about it. After taking a few days to check its security, the fruity firm joined …
"The reported "safe" version of OpenSSL is 1.0.1g released on 7 Apr. I'd take another look."
That's not the whole story. because the patch has been backported to previous versions.
My Red Hat derivatives and Debian are running 1.0.1e and the patches for that arrived pretty promptly.
Of course, anyone not running the latest will still be subject to other vulnerabilities which have been addressed in subsequent releases.
So, Apple lags so much in keeping its libraries up to date that even the most recent versions of its software are not affected by a 2 years-old bug.
Security through obsolescence?
The good news is, we'll only have to wait a few years to be able to use XP safely.
OpenSSL 0.9.8 is not "dead". Yes, it's the older branch, but it still receives major security fixes. Many systems still utilize it because it's been around for so much longer than the 1.0.x series, so it (should be) more stable.
The biggest disadvantage of the 0.9.8 branch is that is doesn't support the newer ciphers suites.
iOS and OS X don't use OpenSSL. In fact, Apple even recommends developers not to use OpenSSL as they consider the API to be unstable.
I assume the only reason they ship a (not vulnerable) version of OpenSSL is because some ports from Unix or Linux that users like to play around with themselves depend on it. This is why you can come across newer (vulnerable) versions of OpenSSL if you have updated Mac Ports some time between the creation of this bug and this week. Most normal users don't install Mac Ports so won't be vulnerable.
The risk of this bug exists mainly server side anyway, OpenSSL clients are unlikely to suffer from this. That means that this security audit will not have focused on consumer iOS or OS X devices but on Apple's own cloud services. Apparently they haven't been using OpenSSL on their servers either.
Some seem to think security is about always making sure you're running the latest version of something. When in reality if you don't change functionality much and patch all the vulnerabilities it ends up being more secure.
Why do you think NASA always lags behind with the CPUs they use in their projects? they wait for all the flaws and bugs to be documented and for compilers to be solid.
Apple is misleading people. While the OS might be not vulnerable to Heartbleed, the apps ARE vulnerable. This is confirmed by Crestron - a major home automation manufacturer. http://support.crestron.com/app/answers/detail/a_id/5471/kw/5471
So its VERY important to report that while the OS of things like iPads/iPhones/laptops and windows machines may not be a issue, the apps and programs might be.
For example, is Safari vulnerable ? So if a apple or windows browser visits a malicious web site can data be stolen from the machine visiting the server. Heartbleed works on clients too.
Its its irresponsible to mislead consumers that thier products are not vulnerable when in fact they most likely have apps or software that is running on the device.
How is Apple responsible for notifying people about the potential security issues of the million plus third party OS X or iOS apps? They simply said that iOS and OS X are not vulnerable. They don't have source, they wouldn't be able to determine which apps are vulnerable if they wanted to.
If held to your ridiculous standards, every OS vendor out there is "vulnerable" forever because it is possible that someone may have a vulnerable app installed on their PC/phone today and may choose to never update it.
If I replace the OEM tires in my car, and they sometimes blow up and cause fatal accidents so they get recalled, the manufacturer of my car isn't "vulnerable" to this defect. If asked they'll simply state their cars are not affected by the recall.
"If held to your ridiculous standards, every OS vendor out there is "vulnerable" forever "
And that is the message they should be communicating. Every responsible vendor is.
If someone sees on the nightly news today "iOS and OSX are safe" they're going to go back to wantonly logging into their email, banking info, etc at internet cafes and other places, thinking they're immune because of Apple magic when really they are not.
Apple should have said something like "While iOS and OSX are themselves safe, please be aware of the security or lack thereof of all apps, web sites and web service providers".
"For example, is Safari vulnerable ? So if a apple or windows browser visits a malicious web site can data be stolen from the machine visiting the server. Heartbleed works on clients too."
If you're using a Web browser to browse to a secure site, the security of the connection depends on the version of SSL running server-side. If some banking site somewhere is vulnerable, that's not Apple's fault, seems to me.
Yes, anyone connecting to a vulnerable server is at risk. Apple hasn't said otherwise; what they said was "IOS and OS X never incorporated the vulnerable software and key Web-based services were not affected," which as near as I can tell seems to be true. (Mavericks, for instance, ships with OpenSSL 0.9.8y.)
"If you're using a Web browser to browse to a secure site, the security of the connection depends on the version of SSL running server-side. If some banking site somewhere is vulnerable, that's not Apple's fault, seems to me.
Yes, anyone connecting to a vulnerable server is at risk. Apple hasn't said otherwise; what they said was "IOS and OS X never incorporated the vulnerable software and key Web-based services were not affected," which as near as I can tell seems to be true. (Mavericks, for instance, ships with OpenSSL 0.9.8y.)"
While true, I'd wager 99% of Apple's user base has no idea what any of that means. They just heard Apple say whatever they do is safe no matter what. So they will do just that.
>>How long ago did Apple stop making servers?
Depends upon what you mean, They may no longer sell hardware labelled, "server". But OSX is a BSD derivative and, just like any other UNIX or Linux, can be used to provide services (a server) with the addition of commonly available software, much of which is already installed anyway.
Apple even sell "OS X Server" software in their app store, see https://itunes.apple.com/us/app/os-x-server/id714547929?mt=12 or any of the many reviews of it.
Relevance? The most security-hardened computer product in the world is not immune to the silly owner, with full access to the device, breaking it by modifying or replacing the software with their own idiot versions.
I suggest you see the source of your rogue software or examine your own conscience if you realise that jail-breaking has made the device insecure.
Biting the hand that feeds IT © 1998–2019