Heartbeat OpenSSL bug does not affect OSX.

C

chas_m

Guest
Call me a skeptic but until there's evidence that these groups don't use OpenSSL, I'm inclined to believe that they do. However, this doesn't necessarily mean that they're affected for they could be running unaffected version.

"Apple has said its operating systems, OS X and iOS, as well as web services including iTunes and iCloud, which are used by millions of users and generate millions of transactions per day, never used the vulnerable OpenSSL implementation."

Emphasis mine, but that seems pretty clear-cut to me.

Addendum: the latest version of Mavericks, on an unmodified system, reports it is equipped with version 0.9.8y, last updated 5 Feb 2013 (your date might vary). Of course you're not normally using OpenSSL at all (on a users' end) unless you've set up a web server, and even then it appears you are unaffected. To me this lends credence to Apple's contention that OS X has never used the vulnerable OpenSSL implementation, at the very least.
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
"Apple has said its operating systems, OS X and iOS, as well as web services including iTunes and iCloud, which are used by millions of users and generate millions of transactions per day, never used the vulnerable OpenSSL implementation."

Emphasis mine, but that seems pretty clear-cut to me.

Addendum: the latest version of Mavericks, on an unmodified system, reports it is equipped with version 0.9.8y, last updated 5 Feb 2013 (your date might vary). Of course you're not normally using OpenSSL at all (on a users' end) unless you've set up a web server, and even then it appears you are unaffected. To me this lends credence to Apple's contention that OS X has never used the vulnerable OpenSSL implementation, at the very least.
It's not that OS X & iOS don't have it/use it, it's that the services that Apple leverages might. For example, iCloud runs off of Linux boxes (source) which most likely do use OpenSSL in some fashion. In this way, Apple has likely indirectly leveraged OpenSSL along the way at some point since most of their web based services are managed by non-Apple platforms. It's pure speculation on my part but it's safe to say that, since 2/3 of the web is powered by it for cryptographic work (source), it's been involved at some point.
 
C

chas_m

Guest
It's pure speculation on my part but it's safe to say that, since 2/3 of the web is powered by it for cryptographic work (source), it's been involved at some point.

But that has nothing to do with this thread, which is titled "Heartbeat OpenSSL bug does not affect OSX." While I will cheerfully admit that the title of the thread could have been more specific, reading it makes it obvious that we are talking about any manifestations of OpenSSL *included* in OS X. Thus, the statement that OS X is not affected by the bug is true.

All of us as *users of the internet* have been affected by this flaw of course. But that's a different topic. So to is whether or not anything *Apple* is using was affected (the company has already gone on record saying that iCloud and iTunes were not affected).
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
Thus, the statement that OS X is not affected by the bug is true.

All of us as *users of the internet* have been affected by this flaw of course.
So, OS X users are affected by the bug.

Such a suggestion also fails to recognize that various applications leverage OpenSSL and may use different versions than the system provided one. Blanket statements such as "OS X is not affected" fail to see that, with software such as OpenSSL, it might very well be. WD MyCloud software, LastPass and LibreOffice were all vulnerable for example, all software that could be run on a Mac. This issue is bigger than just the OS, effectively making the OS vulnerable.
 
C

chas_m

Guest
So, OS X users are affected by the bug.

Again, that is not the topic of discussion in this thread, and a deliberate misreading of the title.

There are other threads on Heartbleed generally, or if there aren't enough of them for you already, perhaps you could start one on the apps, sites and other Mac-related services that could be affected by the problem. Sounds like a good useful thread to have.
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
Again, that is not the topic of discussion in this thread, and a deliberate misreading of the title.
I'm not quite sure how you think you can separate the software from the users (both consumers and developers) that use it in terms of security but so be it. Heartbleed affects software which runs on OS X. It really is as simple as that.
 
Joined
May 19, 2009
Messages
8,428
Reaction score
295
Points
83
Location
Waiting for a mate . . .
Your Mac's Specs
21" iMac 2.9Ghz 16GB RAM - 10.11.3, iPhone6s & iPad Air 2 - iOS 9.2.1, ATV 4Th Gen tvOS, ATV3
The answer to that would depend on whether or not OpenSSL is used to authenticate anything or provide keys for signing content.

And hence the question, hoping someone from iNet would come in and set us at ease. Ive changed my password anyhows, but still I thought the onus is on the makers of the site to set everyone at ease.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top