14 DAY TRIAL // Despite letting out a statement that said “key Web-based services were not affected” by the Heartbleed bug, Apple today offers a firmware update for AirPort base stations, incorporating a patch meant to specifically address the OpenSSL flaw.
In a statement provided to Re/code earlier this month, a company spokesperson said, “Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key Web-based services were not affected.”
Admittedly, AirPort is neither an OS, nor a web-based service (such as iCloud), but that doesn’t mean it’s not a key Apple service.
The company has released AirPort Base Station Firmware Update 7.7.3 which is “recommended for all AirPort Extreme and AirPort Time Capsule base stations with 802.11ac.” According to a brief support document, “It provides security improvements related to SSL/TLS. Other AirPort base stations do not require this firmware update.”
A more comprehensive advisory is then offered. The second document outlines that said firmware update patches a flaw where “an attacker in a privileged network position may obtain memory contents.”
The Mac maker doesn’t specifically mention the Heartbleed flaw, but it does provide a detailed enough description which confirms that Firmware Update 7.7.3 indeed patches the infamous vulnerability that affected half of the Internet.
“An out-of-bounds read issue existed in the OpenSSL library when handling TLS heartbeat extension packets. An attacker in a privileged network position could obtain information from process memory. This issue was addressed through additional bounds checking. Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue.”
Apple credits Riku, Antti, and Matti of Codenomicon and Neel Mehta of Google Security as the people who discovered and reported the flaw.
The Mac maker insists that firmware version 7.7.3 goes onto “AirPort Extreme or AirPort Time Capsule base stations with 802.11ac using AirPort Utility for Mac or iOS.” Softpedia readers can download the utilities at the links supplied below.
On OS X, customers are advised to employ AirPort Utility 6.3.1. On iOS, AirPort Utility 1.3.1 or later is to be used.
Apple has also released standard security updates for OS X Lion, Mountain Lion, and Mavericks, as well as iOS 7.1.1 and Apple TV firmware 6.1.1 to address bugs.