Want to highlight a helpful answer? Upvote!

Did someone help you, or did an answer or User Tip resolve your issue? Upvote by selecting the upvote arrow. Your feedback helps others! Learn more about when to upvote >

Newsroom Update

Apple and Google deliver support for unwanted tracking alerts in iOS and Android. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: cclauss
cclauss Author
User level: Level 1
4 points

Heartbleed and iOS

My up-to-date iPhone and iPad both have OpenSSL 1.0.1b 26 Apr 2012 installed as part of iOS 7.1***. According to http://heartbleed.com this OpenSSL version is vulnerable to the heartbleed bug.


Could these devices be attacked from other devices on my network using the heartbleed bug?


Is there a way for me to upgrade to OpenSSL 1.0.1g to remove this vulnerability?


***To prove this to yourself on an iOS device, grab a copy of Pythonista and type: import ssl ; print(ssl.OPENSSL_VERSION)

You will get back: 'OpenSSL 1.0.1b 26 Apr 2012'

iPad (4th gen) Wi-Fi, iOS 7.1

Posted on Apr 9, 2014 11:08 PM

Reply
21 replies
User profile for user: PacBlue
PacBlue
User level: Level 1
29 points

Apr 11, 2014 9:42 AM in response to PacBlue

By the way, in the second StackExchange link it says Apple has never supplied OpenSSL with iOS. It makes me wonder if the OpenSSL version you see with Pythonista is supplied by that program and not the OS. If that is true, then the vulnerability could be dependent on the app you are using.

PacBlue wrote:


http://security.stackexchange.com/questions/55249/what-clients-are-proven-to-be- vulnerable-to-heartbleed


http://security.stackexchange.com/questions/55119/does-the-heartbleed-vulnerabil ity-affect-clients-as-severely

Reply
User profile for user: Kilgore-Trout
Kilgore-Trout
User level: Level 8
37,471 points

Apr 11, 2014 9:53 AM in response to PacBlue

PacBlue wrote:


By the way, in the second StackExchange link it says Apple has never supplied OpenSSL with iOS. It makes me wonder if the OpenSSL version you see with Pythonista is supplied by that program and not the OS. If that is true, then the vulnerability could be dependent on the app you are using

Absolutely. It is also worth noting a couple of other things:

  • IIS is not effected (never was. Occasionally MS gets something right, even by accident)
  • On iOs devices, any intrusion would be limited to pretty much the app in question.
  • Client side exploitation of this is a bit more difficult to execute than the articles describe.

While this is by no means a trivial issue, I think (thanks to the tech and popular media and thier "Chicken Little" response) it is being blown a bit out of proportion.

Reply
User profile for user: JaynaMc
JaynaMc
User level: Level 1
0 points

Apr 12, 2014 2:48 AM in response to cclauss

So, as new Mac user and as a person that really doesn't understand all of these words that you are all typing....am I safe with my iMac from this whole Heartbleed thing?


I also have a windows netbook that I don't really use anymore but my kids do for homework, etc....do I need to go ahead and change passwords on that one?


Thanks in advance for your dumbed-down answer 😉

Reply
User profile for user: MadMacs0
MadMacs0
User level: Level 5
5,221 points

Apr 12, 2014 6:23 PM in response to JaynaMc

JaynaMc wrote:


So, as new Mac user and as a person that really doesn't understand all of these words that you are all typing....am I safe with my iMac from this whole Heartbleed thing?

No, you are not, but there won't be any patches for either computer to help with this.


Stay off of all sites that require a secure SSL login (https://) where you enter sensitive information, including your userid and password. Wait to be notified by the site that it is now safe and only then change your password.

Reply

Heartbleed and iOS

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up