Security & Privacy

Heartbleed OpenSSL bug: FAQ for Mac, iPhone and iPad users

Posted on April 9th, 2014 by

Heartbleed OpenSSL bug Mac FAQ

In the last couple of days you cannot fail to have seen the huge number of media articles about the so-called Heartbleed bug. In this article, we’ll try and answer some of the common questions that users of Apple products have raised about this issue.

What is the Heartbleed bug?

The Heartbleed Bug is a serious vulnerability that could lead to malicious hackers spying on what were thought to be secure Internet communications. A programming bug in the widely-used OpenSSL software library could allow information to be stolen, which—under normal conditions—would be protected by SSL/TLS encryption.

Typical information which could be stolen includes email addresses and passwords, and private communications; data which normally you expect to be transmitted down the equivalent of a “secure line.”

As well as “Heartbleed,” the bug is also known officially by the rather nerdy name of CVE-2014-0160.

How long has this bug existed? It sounds like it’s really bad.

Yes, it is really bad. I hope you’re sitting down. It looks like it’s been around for two years.

Does that mean people have been able to scoop up private information for the last couple of years?

Yes.

Has that been happening? I mean, have bad guys been stealing information this way?

We simply don’t know. Exploitation of the bug leaves no trace, so it’s hard to know if anyone has been abusing it. However, lots of people have demonstrated in the last couple of days that the bug can be exploited, and they’ve proven that it works.

What versions of OpenSSL are vulnerable?

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable. OpenSSL 1.0.1g, OpenSSL 1.0.0 branch and OpenSSL 0.9.8 branch are NOT vulnerable.

Am I at risk if I use a Mac? What about an iPhone or iPad?

Unfortunately this bug doesn’t care what kind of device you are using to communicate via the Internet. This means that iPhones, iPads and Macs are just as much at risk as, say, a computer running Windows 8.1.

Is there a fix?

Yes. A new version of OpenSSL, version 1.0.1g, was released this week. Internet companies are scrabbling to update vulnerable servers and services. Some sites weren’t vulnerable in the first place, others have since fixed their systems.

Have any big websites been shown to be vulnerable to the Heartbleed bug?

Is Yahoo big enough for you? Some researchers have uncovered hundreds of Yahoo users’ passwords and email addresses by exploiting the flaw. Other big websites reported to have been affected include Flickr, Imgur, OKCupid, Stackoverflow and Eventbrite.

Can Apple roll out the patch for the bug?

Unfortunately this isn’t a bug in Apple’s software or hardware. The bug exists in open source software that some web servers and networked appliances use to establish secure SSL connections. In other words, there is no patch for your computer or smartphone or tablet computer, as the problem exists on the websites themselves.

There is a version of OpenSSL shipped with OS X Mavericks 10.9, but it is unaffected by the bug.

How can I test whether a website is impacted by the Heartbleed bug or not?

A number of websites have been created to test if web servers are vulnerable. Check out https://ssllabs.com/ssltest/ or http://filippo.io/Heartbleed/ if you are curious.

Are Apple’s own website secure, or are they affected by the vulnerability?

Tests indicate that Apple’s own websites are not impacted by the bug.

Where can I find out more about Heartbleed?

Check out this webpage all about the Heartbleed bug by the folks at Codenomicon.

 

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • CREDS XXC

    Mac Users shouldn’t panic.

    According to http://www.tuaw.com/2014/04/09/why-the-openssl-heartbleed-bug-doesnt-affect-os-x-or-os-x-serve/

    “No versions of OS X or OS X Server are affected by the OpenSSL Heartbleed bug, because the last version shipped by Apple in an OS was 0.9.8y, which is a branch not affected by this bug. So unless you’ve installed OpenSSL via MacPorts or Homebrew, your public-facing OS X servers/services should be immune to this bug”

    To check the version installed on your system, open a Terminal window and type: “openssl version”

    • http://www.intego.com Intego

      We cannot stress enough that while your Apple products may be “safe,” your encrypted data is not. As TUAW reported, the Heartbleed bug enables the theft of information otherwise protected by SSL/TLS encryption, and it affects many of the websites and other Internet services you use. If the services use OpenSSL to help manage the flow of encrypted data, it doesn’t matter if you’re on a Mac or a Windows computer, your data may be at risk.

  • BikerGran

    I’m still using OS 10.5.8 on a G5 – does this make any difference?

    • http://grahamcluley.com Graham Cluley

      No, it doesn’t make any difference.

      The security hole is on web servers and services you visit – not on your own computer.

      • BikerGran

        Thanks, Graham. I’m hoping that “they” will be able to sort it out now they’ve started to arrest the evil perpetrators! I really don’t understand the mentality of people who do this kind of thing; I used to think that they did it for the money but now I suspect that it’s a need for power. Sad people.

  • Kar.ma

    Great post, very clear!

Join Our Awesome Email Newsletter

Enter your email address below to start receiving the best Mac Security Updates.

{"url":"\/marketo\/json\/add-to-newsletter","data":"list_name=Blog Roadblock"}