After the blow of Heartbleed in OpenSSL(CVE-2014-0160), Apple has stepped up to reassure their users that there is no need to panic as their iOS, OS X and other web-based services are safe from the bug which was disclosed earlier this week.
On Thursday, Apple has confirmed to Re/code, “Apple takes security very seriously. iOS and OS X never incorporated the vulnerable software and key web-based services were not affected.”
So you can sleep a little ‘more confidently’ now. It confirms that all the bug doesn’t affect the leading websites of the Cupertino such as Apple.com, iCloud as well as the discussion board (discussions.apple.com) that don’t make use of OpenSSL.
For those who haven’t heard about the Heartbleed. It’s a security flaw in the open-source cryptography library OpenSSL, which certifies half of million trusted websites (about 17% of all Internet’s secured web servers). The vulnerability allows attacker to steal server’s private keys, users’ session cookies and passwords.
Earlier this month, Neel Mehta of Google’s security team first discovered the flaw in all versions of OpenSSL, and then an engineer at Codenomicon discovered and detailed the bug to the public. Following the revelation, two researchers even demonstrated how they could get access to a vulnerable server and steal private keys.
The list of affected websites includes as famous as those of Google, Facebook, Dropbox, LastPass, OkCupid, SoundCloud, Steam, Tumblr and Yahoo. Although Yahoo acknowledged that they had fixed the issue, but remained vulnerable for a long time.
Twitter has also claimed that there are aware of a critical vulnerability in OpenSSL. “We were able to determine that twitter.com and api.twitter.com servers were not affected by this vulnerability,” Twitter said.
“We added protections for Facebook’s implementation of OpenSSL before this issue was publicly disclosed, and we’re continuing to monitor the situation closely,” a Facebook spokesman said. “We haven’t detected any signs of suspicious account activity that would suggest a specific action, but we encourage people to take this opportunity to follow good practices and set up a unique password for your Facebook account that you don’t use on other sites.”