Apple's iOS, OS X don't have Heartbleed bug but BBM for iOS and Android do

Apple's iOS, OS X don't have Heartbleed bug but BBM for iOS and Android do

Summary: Apple iOS and OS X devices aren't affected by the Heartbleed bug, but BlackBerry's BBM and Secure Work Spaces are — and the company says it lacks a fix for the issue.


iOS and OS X users can breathe a sigh of relief with the knowledge that their devices are not affected by the catastrophic OpenSSL Heartbleed security flaw — but if they're using BBM for really private messages on iOS they might want to stop right now.

Apple products don't suffer from the bug that has prompted a fair chunk of the internet to race out patches to fix web servers, security hardware, routers and other products that relied on the OpenSSL implementation of the SSL/TLS standard for secured web communications.

"Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key web-based services were not affected," Apple told Re/code.

Apple uses different SSL/TLS libraries called SecureTransport, which was hit by its own very serious bug in February — though it wasn't quite as dangerous as Heartbleed.

In Apple's case SecureTransport wasn't properly checking the signature in a TLS Server Key Exchange Message, which left iOS and OSX users exposed to attackers spoofing SSL servers to pull off a man-in-the-middle attack and capture private data. That bug affected multiple versions of iOS 6 and iOS 7 as well as OS X.

By contrast, Heartbleed puts at risk pretty much anything that was protected by OpenSSL encryption, including passwords, private keys, and other sensitive details such as credit card details. (As noted by a commenter, iOS and OSX users may still be affected by an attack on a vulnerable server.)

BlackBerry has now confirmed that several of its products, including BBM for iOS and Android were affected by the Heartbleed. BBM has about 80 million users.

Other BlackBerry products affected include its rival to Samsung's Knox, Secure Work Space for iOS and Android, and BlackBerry Link for Windows and Mac OS.

BlackBerry doesn't have a patch for any of the products yet, but worse yet there are "no mitigations" for the vulnerability in BBM or Secure Work Spaces.

However, BlackBerry noted the flaw is "non-trivial" to exploit. Still, users might be wise to err on the side of caution and avoid the apps if they can until the company has a patch.  

BlackBerry's core products including BlackBerry smartphones, BlackBerry Enterprise Server 5 and BlackBerry Enterprise Service 10 were not affected, it said.

Google yesterday confirmed Android 4.1.1, Jelly Bean, was affected by the flaw and it was developing a patch and distributing it to Android partners.

It's not clear how many Android 4.1.1 devices exist but according to Google's Android distribution dashboard 4.1.x accounts for about 35 percent of all Android devices.

In other words, even a small cut of that could still amount to a very large number of Android devices that need patching — and when it comes to patching, Google's Android partners haven't had a good track record for rushing them out.

Microsoft yesterday confirmed Azure was unaffected by the bug and that Windows comes with Microsoft's own encryption component called Secure Channel, aka SChannel.

However, cloud giant Amazon confirmed it was affected, which has had an impact on anyone that used ELB, EC2, OpsWorks, Elastic Beanstalk, and CloudFront.

Mozilla announced on Wednesday that its federated identity authentication project, Persona, and Firefox Account were affected by Heartbleed. Their servers ran in AWS while encrypted TLS connections terminated on AWS ELB using OpenSSL.

There are a number of tools that can be used to check which specific sites are affected, including Heartbleed test, LastPass Heartbleed checker, or the Qualys SSL Labs test.

Read more on Heartbleed

Topics: Security, Apple, Apps, iOS, Microsoft, Operating Systems, BlackBerry

Liam Tung

About Liam Tung

Liam Tung is an Australian business technology journalist living a few too many Swedish miles north of Stockholm for his liking. He gained a bachelors degree in economics and arts (cultural studies) at Sydney's Macquarie University, but hacked (without Norse or malicious code for that matter) his way into a career as an enterprise tech, security and telecommunications journalist with ZDNet Australia. These days Liam is a full time freelance technology journalist who writes for several publications.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • When you make APPLE look like a security expert

    ... you know your security plan has screwed up big time. Don't be the last fool left on the "FOSS better than proprietary" bandwagon.
    • Apple's record is far better than many

      Face facts, Apple's track record for security blows away any real commercial competition. So, actually making Apple look like a security expert is actually par for the course. Virtually none of the countless windows vulns are even remotely an issue on Mac, but nonetheless the media tend to generalize to all computers, when it's almost never the case.
      • Par for the course

        People like that troll, hate anything related to Apple (the company, management, products, and users) for no rational reason. They react to any positive news about Apple, irrationally with anger and disparaging remarks, rather than accept reality and factual information.

        Instead of being content using the non-Apple products they have chosen (assuming that they are content), they waste their time lashing out at others. But people who actually use Apple products are too busy enjoyably using those products, and being aware of reality find the vapid and ludicrous comments by trolls as minor annoyances. Trolls are just the mosquitos of the Internet. ;-))
        Harvey Lubin
        • Apple Prods not always enjoyable...

          I have 2 iMac 27's, a 2014 MBP, an iPad Air, and an iPhone. While your security comments are probably true I've encountered numerous problems with my Apple prods. The superdrive in my work iMac died after 2 months of minimal use. My 2014 MBP frequently crashes on startup (as in totally frozen, reboot required) and the battery life is nowhere close to the advertised 7 hours (more like 2 hours). I'm traveling with it in Europe at present and I'm not pleased, to say the least...
      • Actually... Apple is likely affected. They licensed OpenSSL code...

        I was performing some research into Apple's statement that it's software is not vulnerable, and "doesn't use OpenSSL" code.

        Well, when you READ the Software Acknowlegements in the "Airport Utility", it lists OpenSSL as a licensee. I'm not sure what software OpenSSL developed that Apple used, however, it might be OpenSSL.

        Can someone look into the open source code Apple developed for AirPort WiFi?

        Also, I'm not sure why Apple thinks the WiFi connection utilities aren't considered a "Key Web Service". But considering Apple's culture is one where they "Deny-Then-Fix" or "Don't disclose vulnerabilities until there's a fix" It's probably very likely that Apple is actually affected.
        donald duck 313
    • Perhaps the real message we should be getting is...

      ...monoculture bad; software diversity good. That's not going to please MS-fans nearly as much as the other message, but I think it's a lot more accurate.
      John L. Ries
  • Wrong and misleading article

    OSX and IOS *users* are indeed vulnerable. The user OS has no control whatsoever as to whether they are vulnerable or not. The vulnerability is such that a malicious user attacks servers and gains the ability to impersonate those servers to *any* client, regardless of how secure said client may be. There is of course a risk to clients beyond this facet of the situation, but this is the primary threat. To say OSX is not vulnerable is to oversimplify the nature of this.
    • You do have a point

      insofar as any third party services are concerned, or websites you might visit in Safari. The vulnerability is not just a client one.

      That said, it does mean that you're safe using Apple's own native services on the device (aka iTunes, iTunes Match, App Store, iCloud.)
      • True

        However exploiting the situation for a bit of marketing doesn't help any of the thousands of users who will read that headline and assume that because they have a device with an Apple badge that they are suddenly secure everywhere on the net.
        And people are stupid enough to believe this.
        • In the author's defense...

          The headline (as does the body) does reference a 3rd party iOS app being vulnerable, so it doesn't exactly translate to "Use Apple? You're 100% Immune to Heartbleed".

          If people lack the basic comprehension required to put 2 and 2 together, I don't think you can hold the author responsible.
          • Apple iOS and OS X devices aren't affected by the Heartbleed bug

            That statement in the summary alone will make a number of people believe that they are safe an no action is required by the end user.
          • Pointless observation

            You can always blame the masses for being uninformed. The fact that the client is secure is important--not some kind of footnote.

            And yes, Mac users are incredibly USED to the fact that, although OUR systems are secure, because of Windows issues, we need to be careful. This is no different from that old MODEL.
          • Again, if you don't read the headline or the body, or have comprehension...

            While Twitter (and many of it's users) would like the world to be 140 characters or less, the rest of the words that comprise the body of an article are there for a reason, not to take up space.

            So rather than just subscribing to short attention span theater, maybe people should actually read the whole thing before considering themselves informed.

            Reading an WHOLE ARTICLE? Crazy concept, I know. I guess this comment should be flagged (twice) just for daring to suggest it.
    • Yes, we all users are vulnerable

      One day, all men die.

      Was this what you meant to say? ;-)
  • note about Amazon

    A lot of coverage has been given to AWS and other Amazon hosting services... however they always fail to mention that was not vulnerable. Not that anyone ever uses that site.
    • Re: Not that anyone ever uses that site.

      Correct. We Europeans prefer the EU branded sites, as they don't force us to go via random customs madness each time we order some electronic gadget.
      • EBAY

        Ebay is the best place online to make and international orders.using PAYPAL and from ebay you can buy direct from china at very special rates & FREE SHIPPING.
  • Really Poor/Misleading Headline

    It implies that Apple devices are immune to the bug (no they are not - as it mentions further on in the article). Other than that an adequate article, with some interesting information buried within, though it fails to mention that AWS was one of the first services to patch themselves, having called them out as being affected.

    And yes it does make a fairly good argument for not using FOSS in this instance that OR for not keeping your FOSS servers up to date (what very few articles mention is that it only affects newer versions of the OpenSSL library in question - versions prior to 1.0.1 are not affected).

    The Android vulnerability is worrying, fortunately I have none on JB 4.1.1 all are either 4.2 or later of prior to 3... I suspect a mass move to CyanogenMod from those in the know....
  • hmm

    im surprised that people are targeting google's partners about patching when the issue with patches getting rolled out falls on the carriers and their needs to sell more phones or add their own software to the patches.
  • Worst article

    Whether a company is vulnerable or not to the Heartbleed, is a factor of luck. None of these companies where aware of the vulnerability and the secure transfer protocol on which the vulnerability preyed, was consider to be a newer, improved and more secure protocol. Therefore, many of the vulnerable companies where in the banking and govt sectors as they where looking to the most secure protocol. The fact that it turned out not to be as secure, is not a credit to Apple. Apple is not secure fundamentally so it doesn't matter any which way. This is a trash article.