updated 07:57 pm EDT, Tue April 22, 2014
Company mostly untouched by Heartbleed bug, with one exception
On Tuesday, Apple -- which had previously said none of its key software, operating systems, websites or web services had been affected by the Heartbleed OpenSSL security flaw -- issued a patch to its 2013 (only) Airport Extreme and Time Capsule products that support 802.11ac to fix the issue. The 2013 Airport Express is not affected by the bug, and does not require the update. The patch boosts the firmware version on the Extreme and Time Capsule to 7.7.3 and "provides security improvements related to SSL/TLS."
The release note does not directly mention the OpenSSL bug directly, and even on the affected units, users would have had to have had "Send Diagnostics" or "Back to My Mac" turned on. The bug does not affect OS X or iOS, nor the company's websites or iCloud services, none of which ever used the updated versions of OpenSSL that were found to be flawed.
"An out-of-bounds read issue existed in the OpenSSL library when handling TLS heartbeat extension packets," said Apple in its release notes. "An attacker in a privileged network position could obtain information from process memory. This issue was addressed through additional bounds checking. Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue."
It is possible the company simply overlooked its 802.11ac routers until reports of other routers being affected by the bug surfaced. Updates for the iOS versions of Pages, Numbers and Keynote -- all of which can send documents to iCloud -- also appeared today, and the update may possibly have a connection to the Airport patch.
The flaw, which mostly affected web servers, caused millions of users to have to change passwords on key sites, since the sites could not be certain that their systems hadn't been compromised. The technology is used to secure communications between devices and websites by encrypting transmissions, but researchers discovered that it was possible -- albeit unlikely -- to recover the decrypted information in the RAM cache of the receiving website, making it theoretically possible to recovery user credentials and other sensitive data. Most websites moved quickly to fix the issue and alert users to change passwords, even though there is little evidence that the flaw was exploited widely during the nearly two years it sat undiscovered.
Other devices that used or installed the flawed OpenSSL versions could also be affected by the bug. This has turned out to reveal that a number of Android phones and routers used it, including the HTC One smartphone and some Cisco routers, among other devices. Macs could also be affected if users installed their own (flawed) version of OpenSSL as an updated to the (unaffected) earlier version that is in place by default.