Site icon The Mac Security Blog

Heartbleed OpenSSL bug: FAQ for Mac, iPhone and iPad users

In the last couple of days you cannot fail to have seen the huge number of media articles about the so-called Heartbleed bug. In this article, we’ll try and answer some of the common questions that users of Apple products have raised about this issue.

What is the Heartbleed bug?

The Heartbleed Bug is a serious vulnerability that could lead to malicious hackers spying on what were thought to be secure Internet communications. A programming bug in the widely-used OpenSSL software library could allow information to be stolen, which—under normal conditions—would be protected by SSL/TLS encryption.

Typical information which could be stolen includes email addresses and passwords, and private communications; data which normally you expect to be transmitted down the equivalent of a “secure line.”

As well as “Heartbleed,” the bug is also known officially by the rather nerdy name of CVE-2014-0160.

How long has this bug existed? It sounds like it’s really bad.

Yes, it is really bad. I hope you’re sitting down. It looks like it’s been around for two years.

Does that mean people have been able to scoop up private information for the last couple of years?

Yes.

Has that been happening? I mean, have bad guys been stealing information this way?

We simply don’t know. Exploitation of the bug leaves no trace, so it’s hard to know if anyone has been abusing it. However, lots of people have demonstrated in the last couple of days that the bug can be exploited, and they’ve proven that it works.

What versions of OpenSSL are vulnerable?

OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable. OpenSSL 1.0.1g, OpenSSL 1.0.0 branch and OpenSSL 0.9.8 branch are NOT vulnerable.

Am I at risk if I use a Mac? What about an iPhone or iPad?

Unfortunately this bug doesn’t care what kind of device you are using to communicate via the Internet. This means that iPhones, iPads and Macs are just as much at risk as, say, a computer running Windows 8.1.

Is there a fix?

Yes. A new version of OpenSSL, version 1.0.1g, was released this week. Internet companies are scrabbling to update vulnerable servers and services. Some sites weren’t vulnerable in the first place, others have since fixed their systems.

Have any big websites been shown to be vulnerable to the Heartbleed bug?

Is Yahoo big enough for you? Some researchers have uncovered hundreds of Yahoo users’ passwords and email addresses by exploiting the flaw. Other big websites reported to have been affected include Flickr, Imgur, OKCupid, Stackoverflow and Eventbrite.

Can Apple roll out the patch for the bug?

Unfortunately this isn’t a bug in Apple’s software or hardware. The bug exists in open source software that some web servers and networked appliances use to establish secure SSL connections. In other words, there is no patch for your computer or smartphone or tablet computer, as the problem exists on the websites themselves.

There is a version of OpenSSL shipped with OS X Mavericks 10.9, but it is unaffected by the bug.

How can I test whether a website is impacted by the Heartbleed bug or not?

A number of websites have been created to test if web servers are vulnerable. Check out https://ssllabs.com/ssltest/ or http://filippo.io/Heartbleed/ if you are curious.

Are Apple’s own website secure, or are they affected by the vulnerability?

Tests indicate that Apple’s own websites are not impacted by the bug.

Where can I find out more about Heartbleed?

Check out this webpage all about the Heartbleed bug by the folks at Codenomicon.

 

Share this: