• Your favorite

    Apple

    ,

    iPhone

    ,

    iPad

    ,

    iOS

    ,
    Jailbreak
    , and
    Cydia
    site.
  • Apple Claims iOS, OS X and Its Key Web Services Aren't Affected by Heartbleed Security


    A statement was released recently by Apple saying that major operating platforms OS X, iOS, and some Web services were not affected by the immense “Heartbleed” security flaw, that was found earlier this week. According to Re/code, Apple has confirmed that their services and systems are mainly untouched by the SSL (secure sockets layer) bug, dubbed the “Heartbleed.” The Heartbleed is a bug found in open source software that could have personal information and passwords of millions of users.

    The spokesperson has stated the following:

    Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key web-based services were not affected.
    News of the bug was hit earlier in the week and the flaw was found in the OpenSSL implementation of the TLS/DTLS heartbeat extension. When used, client-to-server and server-to-client cached memory is leaked. MITRE has officially named the bug as CVE-2014-0160.

    The bug allows anyone on the Internet to read the memory of systems that are protected by vulnerable versions of OpenSSL software, including secret keys websites used to encrypt traffic, according to Heartbleed.org. Illegal users can gather usernames and passwords to spy on communications and steal information from services affected.

    Facebook, Google, and other major websites have already executed fixes for the bug, but security researchers still ask users to change their passwords since at one point, the websites weren’t patched.

    Source: Re/code
    This article was originally published in forum thread: Apple Claims iOS, OS X and Its Key Web Services Aren't Affected by Heartbleed Security started by Akshay Masand View original post
    Comments 2 Comments
    1. CZroe's Avatar
      CZroe -
      I was told that OSX once included Apache webserver enabled by default with a test page on every machine. Apache definitely uses OpenSSL, which is why something like 67% of all sites do. The vulnerability has been part of OpenSSL since 2012 or late 2011, so I guess the Apache thing was before then?
    1. davesnothere11's Avatar
      davesnothere11 -
      So if I go to https://revoked.grc.com/
      I see that safari on my iPhone( iOS 7.0.6 jail broken) does not check for revoked certs. That is not a good thing at all.