Must-Read: What is Heartbleed security bug? Find out how it affects iOS and Mac users

heartbleed

You have probably heard about the Heartbleed bug by now. In case you’re not aware, Heardbleed is a critical security bug which was discovered earlier in the week in OpenSSL, a popular open source encryption software used by many websites. 

It is already being called the biggest security threat the internet has seen, so it is important that you read this article and figure out what steps you need to take to protect yourself.

What is Heartbleed bug?

The website dedicated for the bug explains the seriousness of the security vulnerability:

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

It is called the Heartbleed bug as “bug is in the OpenSSL’s implementation of the TLS/DTLS (transport layer security protocols) heartbeat extension (RFC6520). When it is exploited it leads to the leak of memory contents from the server to the client and from the client to the server.”

You can check out the video below made by Zulfikar Ramzan, an MIT Ph.D. and CTO of cloud security firm Elastica, which explains the bug very well (Note: There is quite a lot of technical jargon).

How does it affect iOS and Mac users?

According to AskDiffernt, Apple deprecated OpenSSL on OS X in December 2012 if not earlier, and has never included OpenSSL as part of iOS, so no version of OS X or iOS are affected by the Heartbleed bug. Apple has this to say about OpenSSL:

OpenSSL does not provide a stable API from version to version. For this reason, although OS X provides OpenSSL libraries, the OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS. Use of the OS X OpenSSL libraries by apps is strongly discouraged.

So Mac and iOS users are not directly affected like the serious SSL security flaw called “Gotofail” discovered in OS X and iOS last month, which was fixed in iOS 7.0.6, iOS 6.1.6 and OS X 10.9.2. But that is not necessarily good news as you’re still likely to be affected indirectly as OpenSSL is the most popular open source cryptographic library and TLS (transport layer security) implementation used to encrypt traffic on the Internet.

iOS and Mac users may be affected indirectly

Some of the popular third-party services like Gmail, Facebook, Dropbox, Evernote that you may be using are affected by the bug, and could have exposed your sensitive account information. Many companies that have been exposed to the security bug have already patched it on their servers. You can check out this link for the long list of websites that are potentially affected by the security flaw.

What should you do?

Mashable has compiled a nice list based on the responses it got from companies that run some of the most popular social, email, banking and eCommerce sites on the web that have been affected by the Heartbleed bug. If you use any of the services mentioned in the list, then it is extremely important that you change the password if the bug has been patched. Alternatively, you can check check sites manually using this online tool at http://filippo.io/Heartbleed/.

I would also strongly recommend you to configure two-step verification as it adds an additional layer of security to your account.

Hope this was helpful. Stay safe! Please feel free to drop me a line if you have any questions.

Like this post? Share it!

Categories: Heartbleed, iOS, Security

Related
  • filthyjason

    If anyone cares, Cisco Anyconnect mobile VPN client is affected:
    http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140409-heartbleed

  • Jason Burroughs

    you say “may have been affected indirectly” – how exactly are Mac users affected *differently* than Windows users? As long as the end user is not running server software, what difference does it make what OS the client is using?

    I wish these (many) articles about this would be very specific. Even the post on re/code doesn’t actually say “Mac OS X users will not be at risk when using any browser on their computer to access the many sites that are affected.” If this is was the case, then they would be listing all the desktop OS’s which are affected, but they aren’t.

    • Gautam

      The operating system is not affected, but if you could still be affected if you use one of the services that use OpenSSL.

  • Dee jay

    Well if attackers didn’t know b4, they know now