New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus Advice and insight from world-class Apple enthusiasts Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
Security Awareness Discussion of all things related to the security of Apple devices.

Heartbeat OpenSSL bug does not affect OSX.


Post Reply New Thread Subscribe

 
Thread Tools
bobtomay

 
bobtomay's Avatar
 
Member Since: Dec 22, 2006
Location: Texas, where else?
Posts: 25,043
bobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond repute
Mac Specs: 15" MBP 2.33 C2D 256 4GB, MBA 13" i7 1.8, MB 2.0 2GB, Nano 4th, 3GS, iPad 1

bobtomay is offline
You are missing a whole bunch - this bug when exploited permits someone to read the memory of the server - and once you log in and your data is read into memory, it might be possible for someone to read all your personal account info - name, account numbers, etc., along with any data you transmit to them or that the server transmits to you and could allow the exploiter to impersonate the service and the user. Best I can understand, the exploiter would not need to "log in" to your account at some later time, they are already in.

I cannot be held responsible for the things that come out of my mouth.
In the Windows world, most everything folks don't understand is called a virus.
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 18,056
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is online now
Quote:
Originally Posted by TattooedMac View Post
So what has iNet done about it and the security of Mac-Forums ??
The answer to that would depend on whether or not OpenSSL is used to authenticate anything or provide keys for signing content.

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
chas_m

 
chas_m's Avatar
 
Member Since: Jan 22, 2010
Location: Victoria, BC
Posts: 17,105
chas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond repute
Mac Specs: 2012 MBP, Black speakers, Black Benq second monitor, black(ish) iPhone 5s, Black 2012 iPad, etc.

chas_m is offline
Now that a few days have passed, some dust has settled and things seem clearer.

The OpenSSL bug allowed attackers who were monitoring a site to "see" the contents of RAM for a while after you've input login credentials. That's a serious flaw, but your risk of this happening to you individually seems, to me, pretty low.

Mashable has a list of "sites where you should change your password" such as Yahoo (ie, they have patched the issue but were using OpenSSL and thus your password MIGHT have been compromised. Maybe. Possibly.)

Banks (and Apple, and Microsoft) don't use OpenSSL, so its a non-issue with them (as you can see from the Mashable page).

If you use iCloud keychain or 1Password or a program like that, this is an excellent opportunity to change your password from something old and weak to something new and strong. Take advantage of that.
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 18,056
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is online now
Quote:
Originally Posted by chas_m View Post
Banks (and Apple, and Microsoft) don't use OpenSSL, so its a non-issue with them (as you can see from the Mashable page).
I'm willing to bet good money that they actually do (except for MS who likely uses IIS and their own SSL implementation). For example, Apple is known to use OpenSSL. Indeed, the LastPass HB checker notes this for something like iCloud (see here). While it's possible that Apple has crafted their own implementation of SSL and TLS, I'm not counting on it given that, last estimate I saw, OpenSSL was the implementation used for nearly 2/3 of all SSL and TLS implementations. Beyond that, given that this wasn't an official announcement from Apple (a "spokesperson" made the claim with no official release) and their rich Unix legacy, I think it's safe to say that OpenSSL is widely used. I could be wrong but until there's some official announcement, the odds are against the idea that Apple doesn't use it (which is certainly not a criticism for it's a fine piece of software).

Banks though will definitely be using it. Unless their running Windows servers (and thus likely running IIS), odds are that they'll be using it. For example, the CBA notes (source) that banks aren't affected (given the multiple layers of security) but none of them notes that they weren't using OpenSSL (which leads me to believe that they were and still probably are).

Call me a skeptic but until there's evidence that these groups don't use OpenSSL, I'm inclined to believe that they do. However, this doesn't necessarily mean that they're affected for they could be running unaffected version.

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
Alwyn

 
Member Since: May 07, 2010
Location: UK
Posts: 317
Alwyn is on a distinguished road
Mac Specs: iMac 21.5" 3.06 GHz Intel Core i3 500 Gb HD OS X 10.10.0; iPad Mini iOS 8.1;iPhone 3GS 6.1.6

Alwyn is offline
Quote:
Originally Posted by neilf View Post
What I find odd about the advice being given out by the press, is that they say, for example, not to use online banking until the bank's web site has verified that they are not affected by Heartbleed, or they have rectified their web site. Not sure about anyone else, but my bank has issued me with a code generator. This is part of the log-in process, and the code is different for each log-in. So if someone got the rest of your log-in details, how would they circumvent the one-off code?
Am I missing something here?
It's a pity more banks use code generators. In the UK Barclays does but my bank doesn't.
QUOTE Thanks
chas_m

 
chas_m's Avatar
 
Member Since: Jan 22, 2010
Location: Victoria, BC
Posts: 17,105
chas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond repute
Mac Specs: 2012 MBP, Black speakers, Black Benq second monitor, black(ish) iPhone 5s, Black 2012 iPad, etc.

chas_m is offline
Quote:
Originally Posted by vansmith View Post
Call me a skeptic but until there's evidence that these groups don't use OpenSSL, I'm inclined to believe that they do. However, this doesn't necessarily mean that they're affected for they could be running unaffected version.
"Apple has said its operating systems, OS X and iOS, as well as web services including iTunes and iCloud, which are used by millions of users and generate millions of transactions per day, never used the vulnerable OpenSSL implementation."

Emphasis mine, but that seems pretty clear-cut to me.

Addendum: the latest version of Mavericks, on an unmodified system, reports it is equipped with version 0.9.8y, last updated 5 Feb 2013 (your date might vary). Of course you're not normally using OpenSSL at all (on a users' end) unless you've set up a web server, and even then it appears you are unaffected. To me this lends credence to Apple's contention that OS X has never used the vulnerable OpenSSL implementation, at the very least.
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 18,056
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is online now
Quote:
Originally Posted by chas_m View Post
"Apple has said its operating systems, OS X and iOS, as well as web services including iTunes and iCloud, which are used by millions of users and generate millions of transactions per day, never used the vulnerable OpenSSL implementation."

Emphasis mine, but that seems pretty clear-cut to me.

Addendum: the latest version of Mavericks, on an unmodified system, reports it is equipped with version 0.9.8y, last updated 5 Feb 2013 (your date might vary). Of course you're not normally using OpenSSL at all (on a users' end) unless you've set up a web server, and even then it appears you are unaffected. To me this lends credence to Apple's contention that OS X has never used the vulnerable OpenSSL implementation, at the very least.
It's not that OS X & iOS don't have it/use it, it's that the services that Apple leverages might. For example, iCloud runs off of Linux boxes (source) which most likely do use OpenSSL in some fashion. In this way, Apple has likely indirectly leveraged OpenSSL along the way at some point since most of their web based services are managed by non-Apple platforms. It's pure speculation on my part but it's safe to say that, since 2/3 of the web is powered by it for cryptographic work (source), it's been involved at some point.

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
chas_m

 
chas_m's Avatar
 
Member Since: Jan 22, 2010
Location: Victoria, BC
Posts: 17,105
chas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond repute
Mac Specs: 2012 MBP, Black speakers, Black Benq second monitor, black(ish) iPhone 5s, Black 2012 iPad, etc.

chas_m is offline
Quote:
Originally Posted by vansmith View Post
It's pure speculation on my part but it's safe to say that, since 2/3 of the web is powered by it for cryptographic work (source), it's been involved at some point.
But that has nothing to do with this thread, which is titled "Heartbeat OpenSSL bug does not affect OSX." While I will cheerfully admit that the title of the thread could have been more specific, reading it makes it obvious that we are talking about any manifestations of OpenSSL *included* in OS X. Thus, the statement that OS X is not affected by the bug is true.

All of us as *users of the internet* have been affected by this flaw of course. But that's a different topic. So to is whether or not anything *Apple* is using was affected (the company has already gone on record saying that iCloud and iTunes were not affected).
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 18,056
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is online now
Quote:
Originally Posted by chas_m View Post
Thus, the statement that OS X is not affected by the bug is true.

All of us as *users of the internet* have been affected by this flaw of course.
So, OS X users are affected by the bug.

Such a suggestion also fails to recognize that various applications leverage OpenSSL and may use different versions than the system provided one. Blanket statements such as "OS X is not affected" fail to see that, with software such as OpenSSL, it might very well be. WD MyCloud software, LastPass and LibreOffice were all vulnerable for example, all software that could be run on a Mac. This issue is bigger than just the OS, effectively making the OS vulnerable.

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
chas_m

 
chas_m's Avatar
 
Member Since: Jan 22, 2010
Location: Victoria, BC
Posts: 17,105
chas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond reputechas_m has a reputation beyond repute
Mac Specs: 2012 MBP, Black speakers, Black Benq second monitor, black(ish) iPhone 5s, Black 2012 iPad, etc.

chas_m is offline
Quote:
Originally Posted by vansmith View Post
So, OS X users are affected by the bug.
Again, that is not the topic of discussion in this thread, and a deliberate misreading of the title.

There are other threads on Heartbleed generally, or if there aren't enough of them for you already, perhaps you could start one on the apps, sites and other Mac-related services that could be affected by the problem. Sounds like a good useful thread to have.
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 18,056
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is online now
Quote:
Originally Posted by chas_m View Post
Again, that is not the topic of discussion in this thread, and a deliberate misreading of the title.
I'm not quite sure how you think you can separate the software from the users (both consumers and developers) that use it in terms of security but so be it. Heartbleed affects software which runs on OS X. It really is as simple as that.

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
TattooedMac

 
TattooedMac's Avatar
 
Member Since: May 19, 2009
Location: Waiting for a mate . . .
Posts: 7,809
TattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant future
Mac Specs: 21" iMac 2.9Ghz 10.9.4 13"MBP 2.9Ghz i7 Yosemite 10.10 ~ iPhone5 iOS 8 ~ iPad Mini iOS 8 ~ ATV3 6.1

TattooedMac is offline
Quote:
Originally Posted by vansmith View Post
The answer to that would depend on whether or not OpenSSL is used to authenticate anything or provide keys for signing content.
And hence the question, hoping someone from iNet would come in and set us at ease. Ive changed my password anyhows, but still I thought the onus is on the makers of the site to set everyone at ease.

CogFrog Studio's ~ Photography, Apps and Web Development
Dont forget to use the Reputation System if someone has helped you out !!!
Arguing with a zealot is only slightly easier than tunneling through a mountain with your forehead!!!!!
QUOTE Thanks

Post Reply New Thread Subscribe


« Latest Viruses and Malware | Update Flash *NOW*! »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

All times are GMT -4. The time now is 09:24 AM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?