Sunday, April 13, 2014

Apple says iOS, OS X, iTunes and iCloud not affected by Heartbleed OpenSSL bug

heartbleed_logo_heartbleed.jpg
The Heartbleed bug, which came to light this week, is a massive security vulnerability that affects the encryption framework used by about two-thirds of the world's Web servers, leaving users' passwords and confidential information potentially available to malicious attackers. Since its disclosure, major Web companies have been scrambling to patch their infrastructure and assess the extent of their liability.

While major Web services including FacebookDropboxYahooAmazon and multiple Googleofferings are now known to have been vulnerable prior to the disclosure of the bug. Apple has now told tech industry news site Re/code that its products and services were not affected by the bug. Apple has said its operating systems, OS X and iOS, as well as web services including iTunes and iCloud, which are used by millions of users and generate millions of transactions per day, never used the vulnerable OpenSSL implementation.

The OpenSSL Heartbleed bug is being described as one of the most serious security problems to ever affect the Internet. It is not known whether malicious "black hat" hackers were aware of the bug and were exploiting it before security workers were aware of the need to patch it.

Heartbleed allows attackers to send commands to a server which result in it sending small portions of the system memory back to the attacker, unencrypted. Many of these snippets of data could be combined to reveal critical information stored in the memory, including top-level encryption keys and actual user data such as passwords and the contents of messages. With access to such keys, the attackers could then decrypt any information flowing to or from that server, without anyone realising.

Web users are advised to change all passwords, since the worst-case scenario that information has already leaked out, and millions of existing SSL certificates are useless, is completely plausible. In addition to attackers usually motivated by profit, global security agencies that have been in the news for monitoring private communications, are also likely to have been interested in the potential for data gathering using the Heartbleed bug

No comments:

Post a Comment