56

What versions of OS X come default with the affected versions of OpenSSL?

All Internet traffic right now is clogged with the same generic information in regards to the Heartbleed bug, without any attention paid to Macintosh in the environment. I am looking for information on Mac OS X client as well as Mac OS X server. Right now it's impractical for me to check all the Macs in the environment for their specific version of OpenSSL, but I already have the Mac OS X version information for the affected machines.

MDMoore313
  • 1,048
  • 2
  • 9
  • 14
  • This is more a concern for web servers than clients used to connect to them. Your information can be compromised even if your machine doesn't have the Heartbleed version of OpenSSL. – Ɱark Ƭ Apr 08 '14 at 18:28
  • 1
    @Mark true, but what happens when someone wants to run an app that turns their machine into a webserver, and uses the built in version of OpenSSL? Mac apps maybe not so much, but that's why I asked about OS X server as well. Mobiles are likely to be more effected though b/c a lot of mobile apps try to implement that functionality. – MDMoore313 Apr 08 '14 at 18:29
  • However, the whole question largely misses the point that it isn't client machines that are in danger, but servers. If you are accessing a server that has been compromised, then it doesn't matter whether you run MacOS X or Windows 95, you are accessing a server that might be leaking any information the server has about you. It's only of interest if you are using your own Mac as a server. – gnasher729 Apr 09 '14 at 17:50
  • -1, ...the whole question largely misses the point that it isn't client machines that are in danger... not entirely true; I specifically ask for Server versions as well, and it's been mentioned here about the possibility of client machines being vulnerable. This is also not a real answer, so should have been a comment to the question. – MDMoore313 Apr 09 '14 at 18:05
  • 2
    Not true. The exploit can be used by malicious servers against clients which use OpenSSL to make the connection. – Michael Hampton Apr 10 '14 at 02:55
  • 3
    @gnasher729 There is no reason you can't ask a different question about the point you feel is missing. This Q&A is narrow and focused on what versions of OS X might have their memory contents exposed to the network by a programming bug. It's not meant to be a general risk assessment for any Mac user or even about any larger picture. – bmike Apr 10 '14 at 10:28

3 Answers3

64

No versions of OS X are affected (nor is iOS affected). Only installing a third party app or modification would result in a Mac or OS X program having that vulnerability / bug in OpenSSL version 1.0.x

Apple deprecated OpenSSL on OS X in December of 2012 if not earlier. No version of OpenSSL that is vulnerable to CVE-2014-0160 (a.k.a the Heartbleed Bug)

Apple provides several alternate application interfaces that provide SSL to Mac developers and has this to say about OpenSSL:

OpenSSL does not provide a stable API from version to version. For this reason, although OS X provides OpenSSL libraries, the OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS. Use of the OS X OpenSSL libraries by apps is strongly discouraged.

Specifically, the latest version of OpenSSL shipped by Apple is OpenSSL 0.9.8y 5 Feb 2013 which does not appear to have the bug from newer versions of OpenSSL back ported to the code for Apple's version of the library.

The PDF of this documentation has some clearly written advice for developers and some sections that's useful for professionals or the security minded user as well.

Considering this, the only remaining issue would be additional software that were built against OpenSSL, e.g. several in Homebrew (brew update followed by brew upgrade) or MacPorts (port self update followed by port upgrade openssl) to update to the patched 1.x version of openSSL.

Also, you could use mdfind/mdls to check on files named openssl in case you have other applications that bundle that library as Apple recommends rather than depending on the "safe" version Apple still ships with OS X.

for ff in `mdfind kMDItemFSName = "openssl"`; do echo "#### $ff"; mdls $ff | grep kMDItemKind; done
bmike
  • 235,889
  • 8
    For those who use MacPorts, they've released an updated OpenSSL as well. Running port selfupdate followed by port upgrade openssl will get you the fixed 1.0.1g version. – coredumperror Apr 09 '14 at 00:01
  • 1
    @CoreDumpError Thanks for that - I did embed your commands in the answer so that people see it clearly right next to the homebrew "recipe". – bmike Apr 09 '14 at 15:25
  • It’s also worth noting that Apple’s client software uses Secure Transport, Apple’s own code, not OpenSSL; the same goes for any software using Cocoa or Core Foundation APIs to communicate over the 'Net. – al45tair Apr 10 '14 at 10:44
  • Curiosity: do you know why Apple stopped using OpenSSL? – Roberto Apr 11 '14 at 05:03
  • FWIW - an unrelated bug was found in Apple's SSL code less than 2 months ago: http://nakedsecurity.sophos.com/2014/02/24/anatomy-of-a-goto-fail-apples-ssl-bug-explained-plus-an-unofficial-patch/ – Elliot Apr 11 '14 at 05:39
17

I have run openssl version on every Mac I could get my hands on1 and all of them show:

OpenSSL 0.9.8y 5 Feb 2013

…including the current latest version: OS X 10.9.2.

Therefore I can conclude that no version of OS X is affected by Heartbleed.

1 and also ones I couldn't and just had SSH — still tested though, production machines are important! All in all I tested around 30 machines with various versions of OS X.

grg
  • 201,078

  • A missing bounds check in the handling of the TLS heartbeat extension can be

    used to reveal up to 64k of memory to a connected client or server. >Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. via openssl.org, (emphasis added). So as grgarside said...

     – dwightk Apr 08 '14 at 17:57
  • @dwightk The question was about which versions of OS X have one of the effected OpenSSL version. The versions of OpenSSL that are effected are well known, thanks though. – MDMoore313 Apr 08 '14 at 18:04
11

While OS X doesn't ship with the affected releases of OpenSSL, it's still strongly encouraged to do a openssl version in case one may have been installed as part of some third party package.

For example, my computer reported OpenSSL 1.0.1f 6 Jan 2014 because it had been included as a dependency for something I had installed through MacPorts. sudo port upgrade outdated solved this, of course.

Daniel Perván
  • 241
  • 2
  • 6