Home » Mac, Security

Mac Security: OS X Immune to OpenSSL Heartbleed Bug [u]

9 April 2014 5,050 views 7 Comments

According to a knowledgeable source, the client and server versions of OS X aren't susceptible to the OpenSSL Heartbleed security issue

OMG, stop using the internet for shopping and banking because it’s not secure! Meh. According to a knowledgeable source, the client and server versions of OS X aren’t susceptible to the OpenSSL Heartbleed security issue.

Apple gets a lot of deserved grief for being slow in adopting industry standards. For example, while OpenGL 4.4 has been out for nearly a year, OS X Mavericks only supports OpenGL 4.1, which limits the availability and performance of games on the Mac.

It’s a bad thing.

However, here is an example of Apple not supporting an industry standard that has resulted in a good thing. Because OS X doesn’t use OpenSSL, Macs are immune to the problem.

According to Damien Barrett, a Mac IT Pro and former TUAW blogger, those of us who run OS X and OS X Server can breathe a bit easier:

PSA: No versions of OS X or OS X Server are affected by the OpenSSL Heartbleed bug, because the last version shipped by Apple in an OS was 0.9.8y, which is a branch not affected by this bug. So unless you’ve installed OpenSSL via MacPorts or Homebrew, your public-facing OS X servers/services should be immune to this bug.

That said, [u] iMore’s Peter Cohen adds that Apple doesn’t like OpenSSL and hasn’t implemented in some time (ie since v0.9.8y).

And, for that matter, Apple’s iOS doesn’t use OpenSSL either. So, no worries there either.

But, whereas Macs and iPhones are safe, according to Cohen, your data might not be:

[u]I can’t overemphasize this: your Apple device may be safe, but your encrypted data may not be. This is a very big deal because it affects many of the web sites and other Internet services you use. If the service uses OpenSSL to help manage the flow of encrypted data, it may be at risk.

So, Apple guys and gals, your Macs and iThings are safe, but your data might not be…

What’s your take?

Source: TUAW

Related Posts:
— OS X Snow Leopard Is Not Dead
— Time to Make (Update) the Donuts (Flash for Mac)
— VLC for Mac 2.1.3 Fixes Broken Behavior
— Mac Antivirus: ClamXav 2.6.2 Brings Update Engine, etc
— What’s New in iTunes 11.1.4: Wish List, Bug Fixes, etc


  • Kennedy Brandt said:

    I think this is dangerously imprecise reporting. The article doesn’t make it clear until the very end, and then only via a quote from an external source, that the immunity applies only to Mac OS X-based servers and services. There is no such immunity for Mac OS X clients — ordinary users using Macs — who are going to make up the vast majority of people who see this headline and don’t read the full article closely enough.

  • the rocr (author) said:

    The article says, “No versions of OS X or OS X Server are affected by the OpenSSL Heartbleed bug.” What is imprecise about that?

  • Kennedy Brandt said:

    It’s at the end. Ever hear of the inverted pyramid model of journalistic communication? A distinction that important should be right up front, if not in the headline itself, instead of a bunch of snark. Author’s choice, of course, but I don’t believe this is a responsible choice.

  • wow said:

    Macs are vulnerable because the banks and shopping sites the author so recklessy encourages everyone to use may not be serving their websites with the older branch of openssl. or using os x.

    Unless os x forces firefox and chrome to only use the older branch. i see how it could do that only in safari.

  • Polimon said:

    The Heartbleed bug affects the security of web servers worldwide. When you log into online banking, for example, Heartbleed can steal your info from the server. It does not care what platform you are using, does it? I cannot see how Mac owning end users would be safe in this scenario. If I am wrong, please enlighten me.

  • Richard said:

    Wow! Very bad reporting. The heartbleed bug affects servers. It doesn’t matter whether your Mac OS computer is immune or not. Don’t access banking sites until you know the banking server to which you’re connecting has been fixed.

  • Lawrence said:

    It’s amazing how much misinformation spreads around about issues like this. As another has pointed out, this only applies to Macs running servers. The normal user visiting a website that has not been updated and patched is most definitely at risk. That’s why there are now lists of websites that have reported as fixed or still vulnerable.

Leave your response!

Add your comment below, or trackback from your own site. You can also subscribe to these comments via RSS.

Be nice. Keep it clean. Stay on topic. No spam.