Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Lon Hutchison
Lon Hutchison Author
User level: Level 1
8 points

Heartbleed OpenSSL Flaw?

I have read about the OpenSSL flaw and it was stated that OS X 10.9.x is not vulnerable, but what about OS X 10.8.5?

MacBook Pro, OS X Mountain Lion (10.8.5)

Posted on Apr 8, 2014 10:11 AM

Reply
5 replies
User profile for user: lkrupp
lkrupp
User level: Level 6
14,194 points

Apr 8, 2014 3:27 PM in response to Lon Hutchison

This vulnerability is not in OS X. This is a website server software issue and has nothing to do with your computer.


http://www.theverge.com/2014/4/8/5594266/how-heartbleed-broke-the-internet


The issue affects ceratin websites that use an open source software package. Most e-commerce websites are NOT affected. Apple, Google, and Microsoft websites also appear to be immune also. Again, there's nothing to patch on your computer. The problem is with certain websites themselves.

Reply
User profile for user: kwolf22
kwolf22
User level: Level 1
0 points

Apr 11, 2014 9:29 AM in response to lkrupp

THIS VULNERABILITY *IS* IN OS X!


I'm still running a few OS X Servers and after doing an initial audit have found that the version of OpenSSL in Mavericks & Mountain Lion is vulnerable. Mavericks was patched, but Mountain Lion is still running OpenSSL 1.0.1e (11 Feb 2013).


If you run any type of server that uses OpenSSL, you need to take this vulnerability very seriously.

Here is a link to the US-Cert explanation of the vulnerability:

http://www.kb.cert.org/vuls/id/720951


This issue is quite large and affecting more than just Web servers. You need to be looking at any products that may be implementing OpenSSL. For a vendor list and how they are affected see this US-Cert publication.

http://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=720951&Sea rchOrder=4

Reply
User profile for user: kwolf22
kwolf22
User level: Level 1
0 points

Apr 11, 2014 10:12 AM in response to kwolf22

OK, change my last post to:


This vulnerablity *MAY BE* IN OS X!


While doing some more investigating into my server configuration, turns out that the vulnerable version of OpenSSL was part of a third party software package.


Apple deprecated their use of OpenSSL back in Lion (OS X 10.7). At that time the version of OpenSSL included in OS X did not contain the Heartbleed vulnerability.


Still, if you have been running on OS X server for a while - especially if it's been upgraded from a previous version of the OS - check your version of OpenSSL. Just type "openssl version" on the command line. If it comes back with OpenSSL versions 1.0.1 through 1.0.1f, you'll need to figure out what installed that version and update it.

Reply

Heartbleed OpenSSL Flaw?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up