Page 2 of 2 FirstFirst 12
Results 16 to 27 of 27
  1. #16
    Heartbeat OpenSSL bug does not affect OSX.
    bobtomay's Avatar
    Member Since
    Dec 22, 2006
    Location
    Texas, where else?
    Posts
    26,206
    Specs:
    15" MBP '06 2.33 C2D 4GB 10.7; 13" MBA '11 1.8 i7 4GB 10.10; 21" iMac '13 2.9 i5 8GB 10.10; 5s & 5c
    You are missing a whole bunch - this bug when exploited permits someone to read the memory of the server - and once you log in and your data is read into memory, it might be possible for someone to read all your personal account info - name, account numbers, etc., along with any data you transmit to them or that the server transmits to you and could allow the exploiter to impersonate the service and the user. Best I can understand, the exploiter would not need to "log in" to your account at some later time, they are already in.
    I cannot be held responsible for the things that come out of my mouth.
    In the Windows world, most everything folks don't understand is called a virus.

  2. #17
    Heartbeat OpenSSL bug does not affect OSX.
    vansmith's Avatar
    Member Since
    Oct 19, 2008
    Location
    Toronto
    Posts
    19,390
    Specs:
    2012 13" MBP (2.5 i5, 8GB)
    Quote Originally Posted by TattooedMac View Post
    So what has iNet done about it and the security of Mac-Forums ??
    The answer to that would depend on whether or not OpenSSL is used to authenticate anything or provide keys for signing content.
    Important Links: Community Guidelines : Use the reputation system if you've been helped.
    M-F Blog :: Write for the blog
    Writing a Quality Post

  3. #18
    Heartbeat OpenSSL bug does not affect OSX.
    chas_m's Avatar
    Member Since
    Jan 22, 2010
    Location
    Victoria, BC
    Posts
    18,933
    Specs:
    Mid-2012 MBP (16GB, 1TB HD), Monoprice 24-inch second monitor, iPhone 5s 32GB, iPad Air 2 64GB
    Now that a few days have passed, some dust has settled and things seem clearer.

    The OpenSSL bug allowed attackers who were monitoring a site to "see" the contents of RAM for a while after you've input login credentials. That's a serious flaw, but your risk of this happening to you individually seems, to me, pretty low.

    Mashable has a list of "sites where you should change your password" such as Yahoo (ie, they have patched the issue but were using OpenSSL and thus your password MIGHT have been compromised. Maybe. Possibly.)

    Banks (and Apple, and Microsoft) don't use OpenSSL, so its a non-issue with them (as you can see from the Mashable page).

    If you use iCloud keychain or 1Password or a program like that, this is an excellent opportunity to change your password from something old and weak to something new and strong. Take advantage of that.

  4. #19
    Heartbeat OpenSSL bug does not affect OSX.
    vansmith's Avatar
    Member Since
    Oct 19, 2008
    Location
    Toronto
    Posts
    19,390
    Specs:
    2012 13" MBP (2.5 i5, 8GB)
    Quote Originally Posted by chas_m View Post
    Banks (and Apple, and Microsoft) don't use OpenSSL, so its a non-issue with them (as you can see from the Mashable page).
    I'm willing to bet good money that they actually do (except for MS who likely uses IIS and their own SSL implementation). For example, Apple is known to use OpenSSL. Indeed, the LastPass HB checker notes this for something like iCloud (see here). While it's possible that Apple has crafted their own implementation of SSL and TLS, I'm not counting on it given that, last estimate I saw, OpenSSL was the implementation used for nearly 2/3 of all SSL and TLS implementations. Beyond that, given that this wasn't an official announcement from Apple (a "spokesperson" made the claim with no official release) and their rich Unix legacy, I think it's safe to say that OpenSSL is widely used. I could be wrong but until there's some official announcement, the odds are against the idea that Apple doesn't use it (which is certainly not a criticism for it's a fine piece of software).

    Banks though will definitely be using it. Unless their running Windows servers (and thus likely running IIS), odds are that they'll be using it. For example, the CBA notes (source) that banks aren't affected (given the multiple layers of security) but none of them notes that they weren't using OpenSSL (which leads me to believe that they were and still probably are).

    Call me a skeptic but until there's evidence that these groups don't use OpenSSL, I'm inclined to believe that they do. However, this doesn't necessarily mean that they're affected for they could be running unaffected version.
    Important Links: Community Guidelines : Use the reputation system if you've been helped.
    M-F Blog :: Write for the blog
    Writing a Quality Post

  5. #20
    Heartbeat OpenSSL bug does not affect OSX.

    Member Since
    May 07, 2010
    Location
    UK
    Posts
    413
    Specs:
    iMac 21.5" 3.06 GHz Intel Core i3 500 Gb HD OS X 10.10.4; iPad Mini iOS 8.4.1;iPhone 4s iOS 8.4.1;
    Quote Originally Posted by neilf View Post
    What I find odd about the advice being given out by the press, is that they say, for example, not to use online banking until the bank's web site has verified that they are not affected by Heartbleed, or they have rectified their web site. Not sure about anyone else, but my bank has issued me with a code generator. This is part of the log-in process, and the code is different for each log-in. So if someone got the rest of your log-in details, how would they circumvent the one-off code?
    Am I missing something here?
    It's a pity more banks use code generators. In the UK Barclays does but my bank doesn't.

  6. #21
    Heartbeat OpenSSL bug does not affect OSX.
    chas_m's Avatar
    Member Since
    Jan 22, 2010
    Location
    Victoria, BC
    Posts
    18,933
    Specs:
    Mid-2012 MBP (16GB, 1TB HD), Monoprice 24-inch second monitor, iPhone 5s 32GB, iPad Air 2 64GB
    Quote Originally Posted by vansmith View Post
    Call me a skeptic but until there's evidence that these groups don't use OpenSSL, I'm inclined to believe that they do. However, this doesn't necessarily mean that they're affected for they could be running unaffected version.
    "Apple has said its operating systems, OS X and iOS, as well as web services including iTunes and iCloud, which are used by millions of users and generate millions of transactions per day, never used the vulnerable OpenSSL implementation."

    Emphasis mine, but that seems pretty clear-cut to me.

    Addendum: the latest version of Mavericks, on an unmodified system, reports it is equipped with version 0.9.8y, last updated 5 Feb 2013 (your date might vary). Of course you're not normally using OpenSSL at all (on a users' end) unless you've set up a web server, and even then it appears you are unaffected. To me this lends credence to Apple's contention that OS X has never used the vulnerable OpenSSL implementation, at the very least.

  7. #22
    Heartbeat OpenSSL bug does not affect OSX.
    vansmith's Avatar
    Member Since
    Oct 19, 2008
    Location
    Toronto
    Posts
    19,390
    Specs:
    2012 13" MBP (2.5 i5, 8GB)
    Quote Originally Posted by chas_m View Post
    "Apple has said its operating systems, OS X and iOS, as well as web services including iTunes and iCloud, which are used by millions of users and generate millions of transactions per day, never used the vulnerable OpenSSL implementation."

    Emphasis mine, but that seems pretty clear-cut to me.

    Addendum: the latest version of Mavericks, on an unmodified system, reports it is equipped with version 0.9.8y, last updated 5 Feb 2013 (your date might vary). Of course you're not normally using OpenSSL at all (on a users' end) unless you've set up a web server, and even then it appears you are unaffected. To me this lends credence to Apple's contention that OS X has never used the vulnerable OpenSSL implementation, at the very least.
    It's not that OS X & iOS don't have it/use it, it's that the services that Apple leverages might. For example, iCloud runs off of Linux boxes (source) which most likely do use OpenSSL in some fashion. In this way, Apple has likely indirectly leveraged OpenSSL along the way at some point since most of their web based services are managed by non-Apple platforms. It's pure speculation on my part but it's safe to say that, since 2/3 of the web is powered by it for cryptographic work (source), it's been involved at some point.
    Important Links: Community Guidelines : Use the reputation system if you've been helped.
    M-F Blog :: Write for the blog
    Writing a Quality Post

  8. #23
    Heartbeat OpenSSL bug does not affect OSX.
    chas_m's Avatar
    Member Since
    Jan 22, 2010
    Location
    Victoria, BC
    Posts
    18,933
    Specs:
    Mid-2012 MBP (16GB, 1TB HD), Monoprice 24-inch second monitor, iPhone 5s 32GB, iPad Air 2 64GB
    Quote Originally Posted by vansmith View Post
    It's pure speculation on my part but it's safe to say that, since 2/3 of the web is powered by it for cryptographic work (source), it's been involved at some point.
    But that has nothing to do with this thread, which is titled "Heartbeat OpenSSL bug does not affect OSX." While I will cheerfully admit that the title of the thread could have been more specific, reading it makes it obvious that we are talking about any manifestations of OpenSSL *included* in OS X. Thus, the statement that OS X is not affected by the bug is true.

    All of us as *users of the internet* have been affected by this flaw of course. But that's a different topic. So to is whether or not anything *Apple* is using was affected (the company has already gone on record saying that iCloud and iTunes were not affected).

  9. #24
    Heartbeat OpenSSL bug does not affect OSX.
    vansmith's Avatar
    Member Since
    Oct 19, 2008
    Location
    Toronto
    Posts
    19,390
    Specs:
    2012 13" MBP (2.5 i5, 8GB)
    Quote Originally Posted by chas_m View Post
    Thus, the statement that OS X is not affected by the bug is true.

    All of us as *users of the internet* have been affected by this flaw of course.
    So, OS X users are affected by the bug.

    Such a suggestion also fails to recognize that various applications leverage OpenSSL and may use different versions than the system provided one. Blanket statements such as "OS X is not affected" fail to see that, with software such as OpenSSL, it might very well be. WD MyCloud software, LastPass and LibreOffice were all vulnerable for example, all software that could be run on a Mac. This issue is bigger than just the OS, effectively making the OS vulnerable.
    Important Links: Community Guidelines : Use the reputation system if you've been helped.
    M-F Blog :: Write for the blog
    Writing a Quality Post

  10. #25
    Heartbeat OpenSSL bug does not affect OSX.
    chas_m's Avatar
    Member Since
    Jan 22, 2010
    Location
    Victoria, BC
    Posts
    18,933
    Specs:
    Mid-2012 MBP (16GB, 1TB HD), Monoprice 24-inch second monitor, iPhone 5s 32GB, iPad Air 2 64GB
    Quote Originally Posted by vansmith View Post
    So, OS X users are affected by the bug.
    Again, that is not the topic of discussion in this thread, and a deliberate misreading of the title.

    There are other threads on Heartbleed generally, or if there aren't enough of them for you already, perhaps you could start one on the apps, sites and other Mac-related services that could be affected by the problem. Sounds like a good useful thread to have.

  11. #26
    Heartbeat OpenSSL bug does not affect OSX.
    vansmith's Avatar
    Member Since
    Oct 19, 2008
    Location
    Toronto
    Posts
    19,390
    Specs:
    2012 13" MBP (2.5 i5, 8GB)
    Quote Originally Posted by chas_m View Post
    Again, that is not the topic of discussion in this thread, and a deliberate misreading of the title.
    I'm not quite sure how you think you can separate the software from the users (both consumers and developers) that use it in terms of security but so be it. Heartbleed affects software which runs on OS X. It really is as simple as that.
    Important Links: Community Guidelines : Use the reputation system if you've been helped.
    M-F Blog :: Write for the blog
    Writing a Quality Post

  12. #27
    Heartbeat OpenSSL bug does not affect OSX.
    TattooedMac's Avatar
    Member Since
    May 19, 2009
    Location
    Waiting for a mate . . .
    Posts
    8,379
    Specs:
    21" iMac 2.9Ghz 16GB RAM & 13"MBP 2.9Ghz i7 8GB RAM 10.10.3, iPhone5 & iPad Air 2 iOS 8.3, ATV3
    Quote Originally Posted by vansmith View Post
    The answer to that would depend on whether or not OpenSSL is used to authenticate anything or provide keys for signing content.
    And hence the question, hoping someone from iNet would come in and set us at ease. Ive changed my password anyhows, but still I thought the onus is on the makers of the site to set everyone at ease.
    Dont forget to use the Reputation System if someone has helped you out !!!
    Arguing with a zealot is only slightly easier than tunneling through a mountain with your forehead!!!!!
    MoTM ☆☆☆

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. ShellShock bug in OSX and 'nix
    By cptkrf in forum Security Awareness
    Replies: 51
    Last Post: 10-04-2014, 10:49 PM
  2. Strange OSX Lion bug???
    By jim123321 in forum OS X - Operating System
    Replies: 1
    Last Post: 11-19-2011, 05:27 PM
  3. Heartbeat..
    By SleeperSS in forum Apple Desktops
    Replies: 11
    Last Post: 05-04-2010, 08:07 PM
  4. Display bug on OSX
    By dougy in forum OS X - Operating System
    Replies: 6
    Last Post: 10-16-2009, 10:38 PM
  5. Mac OSX Bug
    By Liam in forum Schweb's Lounge
    Replies: 11
    Last Post: 11-28-2006, 04:44 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •