14 DAY TRIAL // A spokesperson for Apple Inc. confirmed in a brief statement that its operating systems and web services have not been affected by the widely-reported “Heartbleed” vulnerability found in the OpenSSL architecture this week.
Described by security expert Bruce Schneier as “catastrophic,” the Heartbleed SSL flaw would allow cybercriminals to exploit a safeguard that normally protects user names and passwords, as well as credit card information submitted in web forms. “On the scale of 1 to 10, this is an 11,” wrote Schneier in a blog post.
Re/code has now obtained a formal statement from Apple indicating that people wielding iPhones and Macs are not affected.
“Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key Web-based services were not affected,” a spokesperson for the company said.
Security specialist Graham Cluley noted this week that pretty much any device connected to the Internet was vulnerable, before OpenSSL released its patch. However, that doesn't make Apple's statement any less true.
As Cluley tells us (in a request to correct a mistake in this article), “This isn’t Apple’s problem and there’s nothing for them to fix. But that doesn’t mean Apple users are safe from the effects of Heartbleed. All internet users were at risk if connecting to vulnerable online services - regardless of the platform they were using.”
Some security companies advised Internet users to immediately change their passwords used on various web services. Even game developers like Mojang suspended all server activity for a brief period of time to install the patch and also advised Minecraft players to change their account passwords.
There is a web site dedicated to the Heartbleed Bug that explains the flaw in great detail, including what type of information it can leak to nefarious third parties, how to stop the leak, and a lengthy Q&A which describes some affected systems and includes links to test tools that enable users to immediately check and see if their computer can be exploited.
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users,” says the site.
“Fixed OpenSSL has been released and now it has to be deployed. Operating system vendors and distribution, appliance vendors, independent software vendors have to adopt the fix and notify their users. Service providers and users have to install the fix as it becomes available for the operating systems, networked appliances and software they use,” it adds.
In addition to Heartbleed, the vulnerability is also referenced as “CVE-2014-0160” and “NCSC-FI case# 788210.”
Update: updated the article to include a correction from Graham Cluley regarding the Heartbleed bug and "Apple users."