5 Replies Latest reply: Apr 11, 2014 10:12 AM by kwolf22
Lon Hutchison Level 1 Level 1 (0 points)

I have read about the OpenSSL flaw and it was stated that OS X 10.9.x is not vulnerable, but what about OS X 10.8.5?


MacBook Pro, OS X Mountain Lion (10.8.5)
  • BobHarris Level 6 Level 6 (14,655 points)

    My understanding is that this is a server side SSL flaw.  Are you running an OpenSSL server on your Mountain Lion system?

  • lkrupp Level 4 Level 4 (3,330 points)

    This vulnerability is not in OS X. This is a website server software issue and has nothing to do with your computer.

     

    http://www.theverge.com/2014/4/8/5594266/how-heartbleed-broke-the-internet

     

    The issue affects ceratin websites that use an open source software package. Most e-commerce websites are NOT affected. Apple, Google, and Microsoft websites also appear to be immune also. Again, there's nothing to patch on your computer. The problem is with certain websites themselves.

  • Lon Hutchison Level 1 Level 1 (0 points)

    Not running a server, but thanks!

  • kwolf22 Level 1 Level 1 (0 points)

    THIS VULNERABILITY *IS* IN OS X!

     

    I'm still running a few OS X Servers and after doing an initial audit have found that the version of OpenSSL in Mavericks & Mountain Lion is vulnerable.  Mavericks was patched, but Mountain Lion is still running OpenSSL 1.0.1e (11 Feb 2013).

     

    If you run any type of server that uses OpenSSL, you need to take this vulnerability very seriously.

    Here is a link to the US-Cert explanation of the vulnerability:

    http://www.kb.cert.org/vuls/id/720951

     

    This issue is quite large and affecting more than just Web servers. You need to be looking at any products that may be implementing OpenSSL.  For a vendor list and how they are affected see this US-Cert publication.

    http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=720951&Sea rchOrder=4

  • kwolf22 Level 1 Level 1 (0 points)

    OK, change my last post to:

     

    This vulnerablity *MAY BE* IN OS X!

     

    While doing some more investigating into my server configuration, turns out that the vulnerable version of OpenSSL was part of a third party software package.

     

    Apple deprecated their use of OpenSSL back in Lion (OS X 10.7).  At that time the version of OpenSSL included in OS X did not contain the Heartbleed vulnerability.

     

    Still, if you have been running on OS X server for a while - especially if it's been upgraded from a previous version of the OS - check your version of OpenSSL.  Just type "openssl version" on the command line.  If it comes back with OpenSSL versions 1.0.1 through 1.0.1f, you'll need to figure out what installed that version and update it.