"Heartbleed" bug in OpenSSL
I've just been reading about "heartbleed", which is a bug that has existed in OpenSSL for two years. This makes our passwords and other information, including content, susceptible to being uncovered. Is the icloud.com site secure at risk? I tested the site with a tool provided by lifehacker.com and it showed there was a problem. I have tested other sites and they came back with secure result.
Anyone know anything about this? I'm concerned that all my email etc can possibly be vulnerable.
Thanks
Melissa
In addition to what we all think of as servers, a variety of other Mac and iOS apps are potentially vulnerable. Why? Because many apps user "server-like" features. For example: using POP3, IMAP or SMTP protocols.
A good example of an iTunes App Store app that has been vulnerable is FileMaker Go 13, along with other FileMaker versions for OSx.
Any user of the following FileMaker application versions needs to be aware that their secure data may have been compromised. They need to read the notice I've linked below, consider whether they have made use of the noted features, and determine if their use may have compromised sensitive information. If so, they need to not only update their copy of FileMaker, but also regenerate sensitive information as recommended by CERT (in the bottom link below.)
http://help.filemaker.com/app/answers/detail/a_id/13384/~/filemaker-products-and -the-heartbleed-bug
FileMaker Go 13 https://itunes.apple.com/us/app/filemaker-go-13/id675292600
FileMaker Server 13 (Sold by Apple but not in App Store)
FileMaker Pro 13, FileMaker Pro 13 Advanced (Sold by Apple but never officially in the App store)
The very nature of the HeartBleed bug is such that any app that was ever vulnerable to HeartBleed must be properly addressed. See the official CERT HeartBleed Bug announcement (http://www.kb.cert.org/vuls/id/720951): "Any system that may have exposed this vulnerability should regenerate any sensitive information (secret keys, passwords, etc.) with the assumption that an attacker has already used this vulnerability to obtain those items. Old keys should be revoked."
Blessings,
Pete
(PS, I am setting up a test environment to discover which of the Apps I own are vulnerable. I hope to report back before too long.)
Similar Messages
-
Hi all PI experts.
Does anyone know if we (using SAP PI) are affected by the heartbleed bug for openSSL? Or where to find information about which versions of PI that can be affected by this?
Regards,
/AnnaJust got a reply from SAP that their Product Security Response Team are currently working on the issue and that they will publish information when they have any to give.
/Anna -
Does the SCCM updates manager use OpenSSL, and is it vulnerable to the Heartbleed bug?
I'm 99.99% positive I know the answer, but my boss wants to know for SURE. Does the SCCM updates manager use OpenSSL, and is it vulnerable to the Heartbleed bug?
Thank you for appeasing him.I must be misunderstanding something here. Would you please help me understand why this isn't answerable here? How does this have anything to do w/ our TAM? SCCM is SCCM regardless of where we got it, right? I'm quite perplexed, so thank you for
clearing this up.
My guess is liability. What if we're wrong? Very few people who frequent these forums are actual Microsoft employees.
If you want a 'for sure' answer, you're best off contacting Microsoft directly IMHO.
Don't retire TechNet! -
(Don't give up yet - 12,830+ strong and growing) -
As a Mac user, what action do I take in relation to the Heartbleed bug?
As a Mac user, what action do I take in relation to the Heartbleed bug?
None except don't visit servers that have not updated their openssl server.
-
What should Mac users do about the Heartbleed bug?
I've been reading about this new Heartbleed bug where you should change all your passwords. It seems these days that quite frequently something like this appears, and the first thing they tell you is to change all your passwords. I would just like to know from someone who knows what they are talking about how Mac devices are affected by Heartbleed. do I need to make a mad dash to change all my passwords?
The short answer to your first question is - if you're worried, change your password. Better safe than sorry. If it's just a few sites, it shouldn't be too onerous a task, hopefully.
Gaining access to one site does not allow an intruder to access other sites.
When you say "log into" Youtube or Google - just to clarify:
- If you use your web browser to go to youtube.com, and view videos, or you go to google.com, and do a search for something, technically you're not logging in. You're just visiting. This poses no risk to you.
- However, if you go to youtube.com, or google.com, and click "Sign in", and enter a user name (usually an email address) and password, then you're logging in, and your password and other information may be at risk.
When you visit Google, look at the very top of the screen. If you see your name there, you're signed in, and you DO have a Google account. If you don't, you're not signed in, and from what you say, you probably don't have a Google account.
The only way that email might be affected is if you regularly access your email through the web (ie, you log onto http://comcast.net), and your mail host (Comcast) tells you that they were susceptible to Heartbleed. Accessing mail through a mail application (the Mail app on your Mac, for example) is not affected by this issue. It's really all about websites. Most applications, such as iTunes, are not affected. (I say "most" because some may have used OpenSSL to access services, or are linked to sites which use OpenSSL - such as Dropbox.)
Matt -
Are any versions of Firefox susceptable to Heartbleed bug CVE-2014-0160 ?
Do any versions of Firefox use OpenSSL?
if so, which versions of Firefox would be vulnerable to the Heartbleed bug CVE-2014-0160 that has recently been identified.
As covered in:
http://heartbleed.com/
http://arstechnica.com/security/2014/04/critical-crypto-bug-in-openssl-opens-two-thirds-of-the-web-to-eavesdropping/An interesting article on the Heartbleed vulnerability and its probable extent
* http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/ -
Is there a fix for the Heartbleed bug for iMac, iPad, iPod?
I just read an article that Google has come out with a fix for PC users to download so they will not be affected by the Heartbleed bug. I was wondering if Apple has come out with a security fix of their own yet?
MsAnnieB2 wrote:
I just read an article that Google has come out with a fix for PC users to download so they will not be affected by the Heartbleed bug.
I've searched for this on Google, but have not found anything. Can you tell me more? If they have found a solution for PC's then there is a good chance it can be made to work with Macs.
I was wondering if Apple has come out with a security fix of their own yet?
Although the information you were given is the best available at this time, it really don't feel it adequately answered your question.
As far as I have been able to find out, all computer users are equally impacted by this issue and there is no way to protect yourself other than to stay off of secure sites until they have told you they are safe. Don't even go onto those sites to change your password until you know that they are safe. -
Heartbleed bug in Relay Server
According to http://service.sap.com/sap/support/notes/2007688 the Heartbleed bug has been fixed for the corresponding products.
I did not find anything explicitly mentioning the Relay Server in the release notes.
So for clarification: has the Relay Server been fixed too? And if so I would like to know as of which version.
In SMP 3.0 SP03 PL01 and in SMP 2.3 SP04 PL01 (I only took a look at those 2) there is a Relay Server included. Does this Version of the Relay Server include the fix for the Heartbleed bug?
Thanks,
KlausHi Klaus,
The version indicated in that note include fixes for all the components. In this case, utilizing the Relay Server version included with SMP 3.0 SP03 PL01 & SMP 2.3 SP04 PL01 will include patches for the Heartbleed issue.
As a side note, the Relay Server is part of the SQL Anywhere platform so we can also use those value from the note as well. The SP level can be a bit difficult to compare against your actual version but you can use the following:
SQL Anywhere 16.0.0 SP 11 - > 16.0.0.1824 (This is the version shipped with SMP 2.3 SP04 PL01)
Hope this helps,
Edgar -
How is the "heartbleed" bug affecting android devices?
How is the "heartbleed" bug affecting android devices?
This would be a great place to start. There are plenty of documentation on the MDN to get you started.
https://developer.mozilla.org/en-US/docs/Extensions/Firefox_on_Android -
Do I need to take any action over the Heartbleed bug?
Do I need to take any action over the Heartbleed bug?
You can use this website test the sites, like banking sites, for protection to the Heartbeat issue: Qualys SSL Labs - Projects / SSL Server Test.
Just enter the URL of the site and it will test it for compliance.
OT -
Are there vulnerabilities from the Heartbleed bug using Mavrick?
charliefrommi wrote:
How can one know whether or not a server is secure?
There are a number of testing tools available and websites that list the current status of the major websites. C|net is one of them. Security experts say you should change your password for any affected site only AFTER they have patched their servers. Doing so before the site is updated doesn't prevent anything.
http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/ -
HT6162 does update cover the 'Heartbleed' bug?
does the recent update for IOS include the open SSL fix for the heartbleed bug?
Joe_depo wrote:
does the recent update for IOS include the open SSL fix for the heartbleed bug?
As others have said, nothing can be fixed on your end. You need to stay off of secure sites where you post privacy information until they have told you it's safe to use. If they tell you they fixed the problem then you need to change your password then, but not before it's fixed. -
Does the Heartbleed Bug affect macs?
I have been hearing about the heartbleed bug and just wondering if it is affecting Apple products?
The Heartbleed issue is a server, not a client, issue. In short, yes, it doesn't matter what you are running to connect to a site, the issue lies in what the server has installed for SSL. But the risk is not in infecting your Mac as much as stealing your login and other information.
This might help you to understand what is happening: http://tidbits.com/article/14662?rss&utm_source=feedburner&utm_medium=feed&utm_c ampaign=Feed%3A+tidbits_main+%28TidBITS%3A+Mac+News+for+the+Rest+of+Us%29 -
Change password due to heartbleed bug?
Do I have to change my apple password due to the heartbleed bug?
Klaus1 wrote:
No, Apple's servers are not affected.
Probably not, but I have not found a definitive statement directly from Apple concerning this. There is some evidence that sub-contracted distribution networks that Apple uses may have been affected. I've quit saying anything until I see the actual press release, as right now all we know is what one reporter for recode.net heard from an un-named Apple employee, unless you've seen something I have not. -
Verizon Router & the Heartbleed bug
Is my router's firmware up to date as per the Heartbleed bug? Apple had to update its AirPort routers firmware, so is my Verizon router secure? Anyone know or can help?
My question stems from the CNNMoney article...
money.cnn.com/2014/04/24/technology/security/heartbleed-security/index.html?iid=Lead
So I figured to ask and the "Ask Verizon" auto agent is useless for questions like this. thxI've asked someone in-the-know at Verizon, and they have indicated the FiOS routers do not suffer from the Heartbleed bug.
========
The first to bring me 1Gbps Fiber for $30/m wins!
Maybe you are looking for
-
We have two Iphone 4 handsets. I updated first handset with IOS5 and activated Icloud with my existing Itunes account details - no problems. I then did the same on the second handset and instead of setting up a different Icloud account for the second
-
Iphone4 not showing up under "My Computer"
I want to take my photos off my iphone onto my computer It's not showing up under My Computer I have uninstalled the drivers etc..unplugged, TRUST THIS COMPUTER?!?! about 500 times, reinstalled the drivers, trust this computer, still it's not showing
-
im trying to hook up my astro mixamp to my pc using an optical cable, the pc doesnt detect the cable meaning i cant get any sound out of it. about a year ago i upgraded my pc to a new case but kept the motherboard, processor and hard drive from a hpe
-
Hi, I need help connecting to a MySQL db through oracle reports using a jdbc connection. I have downloaded the MySQL JDBC driver:mysql-connector-java-3.0.17-ga-bin.jar. I can succesfully use it to connect if I write a simple java program. So I know t
-
? Upgrade fron CS4 Design Standard
I cuurently use CS4 Web Standard. I have been offered an Upgrade From CS2/CS3 Web Premium. Will this upgrade my present Software