Heartbeat OpenSSL bug does not affect OSX.

Joined
Dec 8, 2009
Messages
453
Reaction score
10
Points
18
Location
The same as Sheldon Cooper - East Texas
Your Mac's Specs
iMac 2014 i5 5k 32gb 1tb fusion, second TB display, 2014 MBA
Sorry about that. Should have used both words in the title. Heartbeat is the the name of the condition at risk. Heartbleed is the name given to the problem.

FYI

If you run the command…

openssl version

you should get the prompt, OpenSSL 0.9.8y, which is unaffected. You can google up the complicated reason why it isn’t.

However there is a caveat. It is possible that some program that was installed since the last OSX update might have replaced the default version with updated buggy code.

The above command is how to make sure it hasn’t been replaced.
 
Last edited:
Joined
Nov 12, 2011
Messages
565
Reaction score
33
Points
28
Your Mac's Specs
MBA 2020 Ventura 13.6 M1 chip 251GB; iPhone SE 3rd gen 128GB; iPad Air2, 64GB
But Heartbleed (we are talking about the same thing, I think) can still steal your data from web sites that you visit, so you should change all passwords, right?
 
OP
cptkrf
Joined
Dec 8, 2009
Messages
453
Reaction score
10
Points
18
Location
The same as Sheldon Cooper - East Texas
Your Mac's Specs
iMac 2014 i5 5k 32gb 1tb fusion, second TB display, 2014 MBA
But Heartbleed (we are talking about the same thing, I think) can still steal your data from web sites that you visit, so you should change all passwords, right?

It is hard to determine with all the BS that is coming in from trolling posters on every forum. But, so far I have distilled the following out of the noise.

The bug affects sites with web and email servers. They have to be fixed before the problem goes away. But, to the question (about a zillion posters have asked it in the last day) of, "If I have a patched or non-affected OpenSSL installation that I connect with, am I at risk?"

So far the answers are Yes, No and It Depends.

Since it is a server problem, I don't expect Apple to rush out any fix. Actually, I don't expect any fix at all since the OSX version of OpenSSL doesn't have the problem. Now, to the question of, "if you have a buggy SSL, and go to a server that does not, are you at risk?" I don't think so. It appears that the exploit has to be from the server end.

But to your question. I definitely will change my passwords on any important accounts, but only after I get word that their server is patched, or was found to never have had the problem, because, to change a password, you have to enter the old one. Why make it easy for someone to hack.

Lots of sites are already posting the info about their server status.
 
Last edited:
C

chas_m

Guest
I think the advice is this article is more than a little overboard, but here's what Cult of Mac has to say:

Heartbleed Security Bug: What Apple Users Need to Know | Cult of Mac

Aside from dancing around like your hair's on fire, I have to point out that this exploit has been around since March with no reported problems. YES, I'd avoid logging into sites that aren't on the all-clear list for a while. But changing every password for every site? Uh, no.

It's a serious problem, but any site worth its salt is downgrading (or replacing) its OpenSSL implementation as we speak, so I think this is another case of "could be dangerous, everybody FREAK THE F OUT" instead of "let's take sensible precautions in an orderly way."

Less hysterical article on the topic: Apple Community
 
Last edited:
Joined
Feb 4, 2014
Messages
639
Reaction score
27
Points
28
Location
Great Britain
Your Mac's Specs
MBP17 8GB/1.9TB 2xSSDs Sierra • MBA11 4/128GB • TC 2TB • TV3 • iPh6 128GB • iPadPro12
If you run the command…

openssl version

you should get the prompt, OpenSSL 0.9.8y, which is unaffected.

I got OpenSSL 1.0.0a 1 Jun 2010 :(

Do I need to, or indeed can, do anything about it?
 

bobtomay

,
Retired Staff
Joined
Dec 22, 2006
Messages
26,561
Reaction score
677
Points
113
Location
Texas, where else?
Your Mac's Specs
15" MBP '06 2.33 C2D 4GB 10.7; 13" MBA '14 1.8 i7 8GB 10.11; 21" iMac '13 2.9 i5 8GB 10.11; 6S
Joined
Feb 4, 2014
Messages
639
Reaction score
27
Points
28
Location
Great Britain
Your Mac's Specs
MBP17 8GB/1.9TB 2xSSDs Sierra • MBA11 4/128GB • TC 2TB • TV3 • iPh6 128GB • iPadPro12
thanks bobtomay, appreciate your help.
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
I think it's important, as cptkrf has, to differentiate between OpenSSL on your machine and the version of OpenSSL installed on machines that you connect to. Does it affect the version that comes with OS X? No. Might it affect servers that you connect to? Absolutely and in this sense, it very much does affect OS X users (all users in fact).
 
Joined
Feb 4, 2014
Messages
639
Reaction score
27
Points
28
Location
Great Britain
Your Mac's Specs
MBP17 8GB/1.9TB 2xSSDs Sierra • MBA11 4/128GB • TC 2TB • TV3 • iPh6 128GB • iPadPro12
I think it's important, as cptkrf has, to differentiate between OpenSSL on your machine and the version of OpenSSL installed on machines that you connect to. Does it affect the version that comes with OS X? No. Might it affect servers that you connect to? Absolutely and in this sense, it very much does affect OS X users (all users in fact).

Yup, staying away from quite a few of my regular sites / forums, until they fix the problem:

(outdated link removed)
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
It's a serious problem, but any site worth its salt is downgrading (or replacing) its OpenSSL implementation as we speak, so I think this is another case of "could be dangerous, everybody FREAK THE F OUT" instead of "let's take sensible precautions in an orderly way."
True but there is a disjoint between web developers and web host unless the developers host their own content. As you might know, the installs for software are not controlled by the web developers - they are subject to the whims of the web host. While I'm sure the hosts are trying to keep up to date, if they don't, a whole collection of websites will be "out of date."
 
Joined
Mar 31, 2011
Messages
313
Reaction score
47
Points
28
Your Mac's Specs
2017 27" iMac, MacOS Ventura, iPod Touch, iPhone 6s Plus, MacBook Air 2020
I checked my MBP as instructed here, and got OpenSSL 0.9.8y.

But I need to log into Apple iTunes, so I checked apple.com, and got this:

(outdated link removed)

Chas_m wrote, "I'd avoid logging into sites that aren't on the all-clear list for a while". I take that to apply to Apple, yes?

Thanks.
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
There's more info in the FAQ that explains the error.
 
Joined
Mar 17, 2009
Messages
3,626
Reaction score
111
Points
63
Your Mac's Specs
2018 15" MBP, 2019 11" iPad Pro, iPhone 11 Pro
Engadget is reporting that some routers are vulnerable too. I have a D-Link router (and I know some on here do as well) so I went to their forums and found this link with a list of all affected routers. LINK
 
Joined
May 19, 2009
Messages
8,428
Reaction score
295
Points
83
Location
Waiting for a mate . . .
Your Mac's Specs
21" iMac 2.9Ghz 16GB RAM - 10.11.3, iPhone6s & iPad Air 2 - iOS 9.2.1, ATV 4Th Gen tvOS, ATV3
So what has iNet done about it and the security of Mac-Forums ??
 
Joined
Apr 12, 2008
Messages
512
Reaction score
4
Points
18
What I find odd about the advice being given out by the press, is that they say, for example, not to use online banking until the bank's web site has verified that they are not affected by Heartbleed, or they have rectified their web site. Not sure about anyone else, but my bank has issued me with a code generator. This is part of the log-in process, and the code is different for each log-in. So if someone got the rest of your log-in details, how would they circumvent the one-off code?
Am I missing something here?
 

bobtomay

,
Retired Staff
Joined
Dec 22, 2006
Messages
26,561
Reaction score
677
Points
113
Location
Texas, where else?
Your Mac's Specs
15" MBP '06 2.33 C2D 4GB 10.7; 13" MBA '14 1.8 i7 8GB 10.11; 21" iMac '13 2.9 i5 8GB 10.11; 6S
You are missing a whole bunch - this bug when exploited permits someone to read the memory of the server - and once you log in and your data is read into memory, it might be possible for someone to read all your personal account info - name, account numbers, etc., along with any data you transmit to them or that the server transmits to you and could allow the exploiter to impersonate the service and the user. Best I can understand, the exploiter would not need to "log in" to your account at some later time, they are already in.
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
So what has iNet done about it and the security of Mac-Forums ??
The answer to that would depend on whether or not OpenSSL is used to authenticate anything or provide keys for signing content.
 
C

chas_m

Guest
Now that a few days have passed, some dust has settled and things seem clearer.

The OpenSSL bug allowed attackers who were monitoring a site to "see" the contents of RAM for a while after you've input login credentials. That's a serious flaw, but your risk of this happening to you individually seems, to me, pretty low.

Mashable has a list of "sites where you should change your password" such as Yahoo (ie, they have patched the issue but were using OpenSSL and thus your password MIGHT have been compromised. Maybe. Possibly.)

Banks (and Apple, and Microsoft) don't use OpenSSL, so its a non-issue with them (as you can see from the Mashable page).

If you use iCloud keychain or 1Password or a program like that, this is an excellent opportunity to change your password from something old and weak to something new and strong. Take advantage of that.
 

vansmith

Senior Member
Joined
Oct 19, 2008
Messages
19,924
Reaction score
559
Points
113
Location
Queensland
Your Mac's Specs
Mini (2014, 2018, 2020), MBA (2020), iPad Pro (2018), iPhone 13 Pro Max, Watch (S6)
Banks (and Apple, and Microsoft) don't use OpenSSL, so its a non-issue with them (as you can see from the Mashable page).
I'm willing to bet good money that they actually do (except for MS who likely uses IIS and their own SSL implementation). For example, Apple is known to use OpenSSL. Indeed, the LastPass HB checker notes this for something like iCloud (see here). While it's possible that Apple has crafted their own implementation of SSL and TLS, I'm not counting on it given that, last estimate I saw, OpenSSL was the implementation used for nearly 2/3 of all SSL and TLS implementations. Beyond that, given that this wasn't an official announcement from Apple (a "spokesperson" made the claim with no official release) and their rich Unix legacy, I think it's safe to say that OpenSSL is widely used. I could be wrong but until there's some official announcement, the odds are against the idea that Apple doesn't use it (which is certainly not a criticism for it's a fine piece of software).

Banks though will definitely be using it. Unless their running Windows servers (and thus likely running IIS), odds are that they'll be using it. For example, the CBA notes (source) that banks aren't affected (given the multiple layers of security) but none of them notes that they weren't using OpenSSL (which leads me to believe that they were and still probably are).

Call me a skeptic but until there's evidence that these groups don't use OpenSSL, I'm inclined to believe that they do. However, this doesn't necessarily mean that they're affected for they could be running unaffected version.
 
Joined
May 7, 2010
Messages
978
Reaction score
14
Points
18
Location
UK
Your Mac's Specs
2 iMacsOSX13.6.4;10.13.6;iPhone SE2 17.3.1;SE1 15.8;iPadMini15.8;iPadAir 2 15.8
What I find odd about the advice being given out by the press, is that they say, for example, not to use online banking until the bank's web site has verified that they are not affected by Heartbleed, or they have rectified their web site. Not sure about anyone else, but my bank has issued me with a code generator. This is part of the log-in process, and the code is different for each log-in. So if someone got the rest of your log-in details, how would they circumvent the one-off code?
Am I missing something here?

It's a pity more banks use code generators. In the UK Barclays does but my bank doesn't.
 

Shop Amazon


Shop for your Apple, Mac, iPhone and other computer products on Amazon.
We are a participant in the Amazon Services LLC Associates Program, an affiliate program designed to provide a means for us to earn fees by linking to Amazon and affiliated sites.
Top