New To Mac-Forums?

Welcome to our community! Join the discussion today by registering your FREE account. If you have any problems with the registration process, please contact us!

Get your questions answered by community gurus • Advice and insight from world-class Apple enthusiasts • Exclusive access to members-only contests, giveaways and deals

Join today!

 
Start a Discussion
 

Mac-Forums Brief

Subscribe to Mac-Forums Brief to receive special offers from Mac-Forums partners and sponsors

Join the conversation RSS
Security Awareness Discussion of all things related to the security of Apple devices.

Heartbeat OpenSSL bug does not affect OSX.


Post Reply New Thread Subscribe

 
Thread Tools
cptkrf

 
Member Since: Dec 09, 2009
Location: The same as Sheldon Cooper - East Texas
Posts: 411
cptkrf is a jewel in the roughcptkrf is a jewel in the rough
Mac Specs: MacBook Air 2013, MacMini,2013, Intel Core i7, 16gb, 27" Thunderbolt display (Highly recommended!)

cptkrf is offline
Sorry about that. Should have used both words in the title. Heartbeat is the the name of the condition at risk. Heartbleed is the name given to the problem.

FYI

If you run the command…

openssl version

you should get the prompt, OpenSSL 0.9.8y, which is unaffected. You can google up the complicated reason why it isn’t.

However there is a caveat. It is possible that some program that was installed since the last OSX update might have replaced the default version with updated buggy code.

The above command is how to make sure it hasn’t been replaced.

Last edited by cptkrf; 04-08-2014 at 10:14 PM.
QUOTE Thanks
rainbowcat

 
rainbowcat's Avatar
 
Member Since: Nov 12, 2011
Posts: 129
rainbowcat is on a distinguished road
Mac Specs: MBA mid-2013 1.3GHz i5, 4GB 1600MHz DDR3, Intel HD Graphics 5000 1536MB; iPhone 4S

rainbowcat is offline
But Heartbleed (we are talking about the same thing, I think) can still steal your data from web sites that you visit, so you should change all passwords, right?
QUOTE Thanks
cptkrf

 
Member Since: Dec 09, 2009
Location: The same as Sheldon Cooper - East Texas
Posts: 411
cptkrf is a jewel in the roughcptkrf is a jewel in the rough
Mac Specs: MacBook Air 2013, MacMini,2013, Intel Core i7, 16gb, 27" Thunderbolt display (Highly recommended!)

cptkrf is offline
Quote:
Originally Posted by rainbowcat View Post
But Heartbleed (we are talking about the same thing, I think) can still steal your data from web sites that you visit, so you should change all passwords, right?
It is hard to determine with all the BS that is coming in from trolling posters on every forum. But, so far I have distilled the following out of the noise.

The bug affects sites with web and email servers. They have to be fixed before the problem goes away. But, to the question (about a zillion posters have asked it in the last day) of, "If I have a patched or non-affected OpenSSL installation that I connect with, am I at risk?"

So far the answers are Yes, No and It Depends.

Since it is a server problem, I don't expect Apple to rush out any fix. Actually, I don't expect any fix at all since the OSX version of OpenSSL doesn't have the problem. Now, to the question of, "if you have a buggy SSL, and go to a server that does not, are you at risk?" I don't think so. It appears that the exploit has to be from the server end.

But to your question. I definitely will change my passwords on any important accounts, but only after I get word that their server is patched, or was found to never have had the problem, because, to change a password, you have to enter the old one. Why make it easy for someone to hack.

Lots of sites are already posting the info about their server status.

Last edited by cptkrf; 04-08-2014 at 10:32 PM.
QUOTE Thanks
MBP17•David

 
MBP17•David's Avatar
 
Member Since: Feb 04, 2014
Location: England
Posts: 471
MBP17•David is just really niceMBP17•David is just really niceMBP17•David is just really niceMBP17•David is just really nice
Mac Specs: MBP17 8GB 2x960GB SSDs 10.9 • MBA11 4/128GB 10.9 • TC 2TB • TV3 • iPh6 128GB • iPh6+ 128GB

MBP17•David is offline
Quote:
Originally Posted by cptkrf View Post
If you run the command…

openssl version

you should get the prompt, OpenSSL 0.9.8y, which is unaffected.
I got OpenSSL 1.0.0a 1 Jun 2010

Do I need to, or indeed can, do anything about it?

Dvid
QUOTE Thanks
bobtomay

 
bobtomay's Avatar
 
Member Since: Dec 22, 2006
Location: Texas, where else?
Posts: 25,132
bobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond repute
Mac Specs: 15" MBP 2.33 C2D 256 4GB, MBA 13" i7 1.8, MB 2.0 2GB, Nano 4th, 3GS, iPad 1

bobtomay is offline
Have a read here:

Heartbleed Bug


...
Attached Images
File Type: png Screen Shot 2014-04-09 at 5.29.57 AM.png (48.5 KB, 123 views)

I cannot be held responsible for the things that come out of my mouth.
In the Windows world, most everything folks don't understand is called a virus.
QUOTE Thanks
MBP17•David

 
MBP17•David's Avatar
 
Member Since: Feb 04, 2014
Location: England
Posts: 471
MBP17•David is just really niceMBP17•David is just really niceMBP17•David is just really niceMBP17•David is just really nice
Mac Specs: MBP17 8GB 2x960GB SSDs 10.9 • MBA11 4/128GB 10.9 • TC 2TB • TV3 • iPh6 128GB • iPh6+ 128GB

MBP17•David is offline
thanks bobtomay, appreciate your help.

Dvid
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 18,225
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is offline
I think it's important, as cptkrf has, to differentiate between OpenSSL on your machine and the version of OpenSSL installed on machines that you connect to. Does it affect the version that comes with OS X? No. Might it affect servers that you connect to? Absolutely and in this sense, it very much does affect OS X users (all users in fact).

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
MBP17•David

 
MBP17•David's Avatar
 
Member Since: Feb 04, 2014
Location: England
Posts: 471
MBP17•David is just really niceMBP17•David is just really niceMBP17•David is just really niceMBP17•David is just really nice
Mac Specs: MBP17 8GB 2x960GB SSDs 10.9 • MBA11 4/128GB 10.9 • TC 2TB • TV3 • iPh6 128GB • iPh6+ 128GB

MBP17•David is offline
Quote:
Originally Posted by vansmith View Post
I think it's important, as cptkrf has, to differentiate between OpenSSL on your machine and the version of OpenSSL installed on machines that you connect to. Does it affect the version that comes with OS X? No. Might it affect servers that you connect to? Absolutely and in this sense, it very much does affect OS X users (all users in fact).
Yup, staying away from quite a few of my regular sites / forums, until they fix the problem:


Dvid
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 18,225
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is offline
Quote:
Originally Posted by chas_m View Post
It's a serious problem, but any site worth its salt is downgrading (or replacing) its OpenSSL implementation as we speak, so I think this is another case of "could be dangerous, everybody FREAK THE F OUT" instead of "let's take sensible precautions in an orderly way."
True but there is a disjoint between web developers and web host unless the developers host their own content. As you might know, the installs for software are not controlled by the web developers - they are subject to the whims of the web host. While I'm sure the hosts are trying to keep up to date, if they don't, a whole collection of websites will be "out of date."

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
stefanmaine

 
Member Since: Mar 31, 2011
Posts: 49
stefanmaine is on a distinguished road

stefanmaine is offline
I checked my MBP as instructed here, and got OpenSSL 0.9.8y.

But I need to log into Apple iTunes, so I checked apple.com, and got this:



Chas_m wrote, "I'd avoid logging into sites that aren't on the all-clear list for a while". I take that to apply to Apple, yes?

Thanks.
QUOTE Thanks
vansmith

 
vansmith's Avatar
 
Member Since: Oct 19, 2008
Location: Toronto
Posts: 18,225
vansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond reputevansmith has a reputation beyond repute
Mac Specs: 2012 13" MBP (2.5 i5, 8GB)

vansmith is offline
There's more info in the FAQ that explains the error.

Important Links: Community Guidelines : Use the reputation system if you've been helped.
M-F Blog :: Write for the blog
Writing a Quality Post
QUOTE Thanks
MYmacROX

 
MYmacROX's Avatar
 
Member Since: Mar 17, 2009
Posts: 3,631
MYmacROX is a name known to allMYmacROX is a name known to allMYmacROX is a name known to allMYmacROX is a name known to allMYmacROX is a name known to allMYmacROX is a name known to allMYmacROX is a name known to all
Mac Specs: 2008 15" MBP ML, 2012 21.5" iMac ML

MYmacROX is offline
Engadget is reporting that some routers are vulnerable too. I have a D-Link router (and I know some on here do as well) so I went to their forums and found this link with a list of all affected routers. LINK

16GB iPhone 5, 64GB Wi-Fi only iPad 1st Gen.

Reminder: Please include your Mac's specs. This will make it much easier for the other members to assist you.
QUOTE Thanks
TattooedMac

 
TattooedMac's Avatar
 
Member Since: May 19, 2009
Location: Waiting for a mate . . .
Posts: 7,861
TattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant futureTattooedMac has a brilliant future
Mac Specs: 21" iMac 2.9Ghz 10.9.4 13"MBP 2.9Ghz i7 Yosemite 10.10 ~ iPhone5 iOS 8 ~ iPad Mini iOS 8 ~ ATV3 6.1

TattooedMac is offline
So what has iNet done about it and the security of Mac-Forums ??

CogFrog Studio's ~ Photography, Apps and Web Development
Dont forget to use the Reputation System if someone has helped you out !!!
Arguing with a zealot is only slightly easier than tunneling through a mountain with your forehead!!!!!
QUOTE Thanks
neilf

 
Member Since: Apr 12, 2008
Posts: 392
neilf is an unknown at this point

neilf is offline
What I find odd about the advice being given out by the press, is that they say, for example, not to use online banking until the bank's web site has verified that they are not affected by Heartbleed, or they have rectified their web site. Not sure about anyone else, but my bank has issued me with a code generator. This is part of the log-in process, and the code is different for each log-in. So if someone got the rest of your log-in details, how would they circumvent the one-off code?
Am I missing something here?
QUOTE Thanks
bobtomay

 
bobtomay's Avatar
 
Member Since: Dec 22, 2006
Location: Texas, where else?
Posts: 25,132
bobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond reputebobtomay has a reputation beyond repute
Mac Specs: 15" MBP 2.33 C2D 256 4GB, MBA 13" i7 1.8, MB 2.0 2GB, Nano 4th, 3GS, iPad 1

bobtomay is offline
You are missing a whole bunch - this bug when exploited permits someone to read the memory of the server - and once you log in and your data is read into memory, it might be possible for someone to read all your personal account info - name, account numbers, etc., along with any data you transmit to them or that the server transmits to you and could allow the exploiter to impersonate the service and the user. Best I can understand, the exploiter would not need to "log in" to your account at some later time, they are already in.

I cannot be held responsible for the things that come out of my mouth.
In the Windows world, most everything folks don't understand is called a virus.
QUOTE Thanks

Post Reply New Thread Subscribe


« Latest Viruses and Malware | Update Flash *NOW*! »
Thread Tools

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off
Forum Jump

All times are GMT -4. The time now is 02:59 PM.

Powered by vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
X

Welcome to Mac-Forums.com

Create your username to jump into the discussion!

New members like you have made this community the ultimate source for your Mac since 2003!


(4 digit year)

Already a member?