Mac Forums

Mac Forums (http://www.mac-forums.com/forums/)
-   Security Awareness (http://www.mac-forums.com/forums/security-awareness/)
-   -   Heartbeat OpenSSL bug does not affect OSX. (http://www.mac-forums.com/forums/security-awareness/310324-heartbeat-openssl-bug-does-not-affect-osx.html)

cptkrf 04-08-2014 08:03 PM

Heartbeat OpenSSL bug does not affect OSX.
 
Sorry about that. Should have used both words in the title. Heartbeat is the the name of the condition at risk. Heartbleed is the name given to the problem.

FYI

If you run the command…

openssl version

you should get the prompt, OpenSSL 0.9.8y, which is unaffected. You can google up the complicated reason why it isn’t.

However there is a caveat. It is possible that some program that was installed since the last OSX update might have replaced the default version with updated buggy code.

The above command is how to make sure it hasn’t been replaced.

rainbowcat 04-08-2014 08:41 PM

But Heartbleed (we are talking about the same thing, I think) can still steal your data from web sites that you visit, so you should change all passwords, right?

cptkrf 04-08-2014 09:13 PM

Quote:

Originally Posted by rainbowcat (Post 1577016)
But Heartbleed (we are talking about the same thing, I think) can still steal your data from web sites that you visit, so you should change all passwords, right?

It is hard to determine with all the BS that is coming in from trolling posters on every forum. But, so far I have distilled the following out of the noise.

The bug affects sites with web and email servers. They have to be fixed before the problem goes away. But, to the question (about a zillion posters have asked it in the last day) of, "If I have a patched or non-affected OpenSSL installation that I connect with, am I at risk?"

So far the answers are Yes, No and It Depends.

Since it is a server problem, I don't expect Apple to rush out any fix. Actually, I don't expect any fix at all since the OSX version of OpenSSL doesn't have the problem. Now, to the question of, "if you have a buggy SSL, and go to a server that does not, are you at risk?" I don't think so. It appears that the exploit has to be from the server end.

But to your question. I definitely will change my passwords on any important accounts, but only after I get word that their server is patched, or was found to never have had the problem, because, to change a password, you have to enter the old one. Why make it easy for someone to hack.

Lots of sites are already posting the info about their server status.

chas_m 04-09-2014 03:50 AM

I think the advice is this article is more than a little overboard, but here's what Cult of Mac has to say:

Heartbleed Security Bug: What Apple Users Need to Know | Cult of Mac

Aside from dancing around like your hair's on fire, I have to point out that this exploit has been around since March with no reported problems. YES, I'd avoid logging into sites that aren't on the all-clear list for a while. But changing every password for every site? Uh, no.

It's a serious problem, but any site worth its salt is downgrading (or replacing) its OpenSSL implementation as we speak, so I think this is another case of "could be dangerous, everybody FREAK THE F OUT" instead of "let's take sensible precautions in an orderly way."

Less hysterical article on the topic: http://www.sitepronews.com/2014/04/0...part-internet/

MBP17•David 04-09-2014 05:55 AM

Quote:

Originally Posted by cptkrf (Post 1577008)
If you run the command…

openssl version

you should get the prompt, OpenSSL 0.9.8y, which is unaffected.

I got OpenSSL 1.0.0a 1 Jun 2010 :(

Do I need to, or indeed can, do anything about it?

bobtomay 04-09-2014 06:31 AM

1 Attachment(s)
Have a read here:

Heartbleed Bug


...

MBP17•David 04-09-2014 06:47 AM

thanks bobtomay, appreciate your help.

vansmith 04-09-2014 09:23 AM

I think it's important, as cptkrf has, to differentiate between OpenSSL on your machine and the version of OpenSSL installed on machines that you connect to. Does it affect the version that comes with OS X? No. Might it affect servers that you connect to? Absolutely and in this sense, it very much does affect OS X users (all users in fact).

MBP17•David 04-09-2014 11:43 AM

Quote:

Originally Posted by vansmith (Post 1577098)
I think it's important, as cptkrf has, to differentiate between OpenSSL on your machine and the version of OpenSSL installed on machines that you connect to. Does it affect the version that comes with OS X? No. Might it affect servers that you connect to? Absolutely and in this sense, it very much does affect OS X users (all users in fact).

Yup, staying away from quite a few of my regular sites / forums, until they fix the problem:

http://i871.photobucket.com/albums/a...ps8e21fee2.png

vansmith 04-09-2014 12:10 PM

Quote:

Originally Posted by chas_m (Post 1577060)
It's a serious problem, but any site worth its salt is downgrading (or replacing) its OpenSSL implementation as we speak, so I think this is another case of "could be dangerous, everybody FREAK THE F OUT" instead of "let's take sensible precautions in an orderly way."

True but there is a disjoint between web developers and web host unless the developers host their own content. As you might know, the installs for software are not controlled by the web developers - they are subject to the whims of the web host. While I'm sure the hosts are trying to keep up to date, if they don't, a whole collection of websites will be "out of date."

stefanmaine 04-10-2014 08:49 PM

I checked my MBP as instructed here, and got OpenSSL 0.9.8y.

But I need to log into Apple iTunes, so I checked apple.com, and got this:

http://zoofence.org/heartbleed.jpg

Chas_m wrote, "I'd avoid logging into sites that aren't on the all-clear list for a while". I take that to apply to Apple, yes?

Thanks.

vansmith 04-11-2014 08:21 AM

There's more info in the FAQ that explains the error.

MYmacROX 04-11-2014 12:41 PM

Engadget is reporting that some routers are vulnerable too. I have a D-Link router (and I know some on here do as well) so I went to their forums and found this link with a list of all affected routers. LINK

TattooedMac 04-11-2014 09:26 PM

So what has iNet done about it and the security of Mac-Forums ??

neilf 04-12-2014 06:46 AM

What I find odd about the advice being given out by the press, is that they say, for example, not to use online banking until the bank's web site has verified that they are not affected by Heartbleed, or they have rectified their web site. Not sure about anyone else, but my bank has issued me with a code generator. This is part of the log-in process, and the code is different for each log-in. So if someone got the rest of your log-in details, how would they circumvent the one-off code?
Am I missing something here?


All times are GMT -4. The time now is 04:37 PM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.