Security researcher and public speaker Graham Cluley has taken it upon himself to raise awareness among Apple customers about the Heartbleed SSL flaw widely covered in the media these past two days. Apparently it’s more serious than you’d like to believe.
Writing on the Intego Mac Security Blog, Cluley warns that “The Heartbleed Bug is a serious vulnerability that could lead to malicious hackers spying on what were thought to be secure Internet communications.”
He explains that “A programming bug in the widely-used OpenSSL software library could allow information to be stolen, which—under normal conditions—would be protected by SSL/TLS encryption.”
Information that could be stolen through this vulnerability includes (but is not limited to) email addresses, passwords, and private communications, “data which normally you expect to be transmitted down the equivalent of a ‘secure line’,” writes Cluley.
According to the security expert, the Heartbleed flaw (also referred to as CVE-2014-0160 in security circles) has been around for roughly two years, and “people have been able to scoop up private information” for precisely that amount of time. “Yes, it is really bad,” Cluley admits.
But no one knows for sure if it happened, because “exploitation of the bug leaves no trace,” according to the security consultant. “However, lots of people have demonstrated in the last couple of days that the bug can be exploited, and they’ve proven that it works,” he adds.
Apple customers asking whether or not they’re exposed to any kinds of risks, either on OS X or iOS, are told that Heartbleed doesn’t discriminate based on the platform you’re using. It’s basically an Internet flaw, so yes, any Mac or iPhone that you take to the web is vulnerable.
“Unfortunately this bug doesn’t care what kind of device you are using to communicate via the Internet. This means that iPhones, iPads and Macs are just as much at risk as, say, a computer running Windows 8.1.”
Except for Mavericks computers, though. There is a version of OpenSSL that shipped with OS X Mavericks 10.9 and is unaffected by the bug, according to multiple reports from security researchers.
Update: Mr. Cluley kindly asked us to clarify that, “This isn’t Apple’s problem and there’s nothing for them to fix. But that doesn’t mean Apple users are safe from the effects of Heartbleed [including Mavericks customers]. All internet users were at risk if connecting to vulnerable online services - regardless of the platform they were using.”
A new version of OpenSSL is available with a fix and you can test whether or not a web site is impacted by Heartbleed. Apple’s own web sites are secure, Cluley says. Visit the related links below to learn more about the emergence of the flaw and the response from the IT community.