Apple's iOS, OS X don't have Heartbleed bug but BBM for iOS and Android do

Apple iOS and OS X devices aren't affected by the Heartbleed bug, but BlackBerry's BBM and Secure Work Spaces are — and the company says it lacks a fix for the issue.
Written by Liam Tung, Contributing Writer

iOS and OS X users can breathe a sigh of relief with the knowledge that their devices are not affected by the catastrophic OpenSSL Heartbleed security flaw — but if they're using BBM for really private messages on iOS they might want to stop right now.

Apple products don't suffer from the bug that has prompted a fair chunk of the internet to race out patches to fix web servers, security hardware, routers and other products that relied on the OpenSSL implementation of the SSL/TLS standard for secured web communications.

"Apple takes security very seriously. IOS and OS X never incorporated the vulnerable software and key web-based services were not affected," Apple told Re/code.

Apple uses different SSL/TLS libraries called SecureTransport, which was hit by its own very serious bug in February — though it wasn't quite as dangerous as Heartbleed.

In Apple's case SecureTransport wasn't properly checking the signature in a TLS Server Key Exchange Message, which left iOS and OSX users exposed to attackers spoofing SSL servers to pull off a man-in-the-middle attack and capture private data. That bug affected multiple versions of iOS 6 and iOS 7 as well as OS X.

By contrast, Heartbleed puts at risk pretty much anything that was protected by OpenSSL encryption, including passwords, private keys, and other sensitive details such as credit card details. (As noted by a commenter, iOS and OSX users may still be affected by an attack on a vulnerable server.)

BlackBerry has now confirmed that several of its products, including BBM for iOS and Android were affected by the Heartbleed. BBM has about 80 million users.

Other BlackBerry products affected include its rival to Samsung's Knox, Secure Work Space for iOS and Android, and BlackBerry Link for Windows and Mac OS.

BlackBerry doesn't have a patch for any of the products yet, but worse yet there are "no mitigations" for the vulnerability in BBM or Secure Work Spaces.

However, BlackBerry noted the flaw is "non-trivial" to exploit. Still, users might be wise to err on the side of caution and avoid the apps if they can until the company has a patch.  

BlackBerry's core products including BlackBerry smartphones, BlackBerry Enterprise Server 5 and BlackBerry Enterprise Service 10 were not affected, it said.

Google yesterday confirmed Android 4.1.1, Jelly Bean, was affected by the flaw and it was developing a patch and distributing it to Android partners.

It's not clear how many Android 4.1.1 devices exist but according to Google's Android distribution dashboard 4.1.x accounts for about 35 percent of all Android devices.

In other words, even a small cut of that could still amount to a very large number of Android devices that need patching — and when it comes to patching, Google's Android partners haven't had a good track record for rushing them out.

Microsoft yesterday confirmed Azure was unaffected by the bug and that Windows comes with Microsoft's own encryption component called Secure Channel, aka SChannel.

However, cloud giant Amazon confirmed it was affected, which has had an impact on anyone that used ELB, EC2, OpsWorks, Elastic Beanstalk, and CloudFront.

Mozilla announced on Wednesday that its federated identity authentication project, Persona, and Firefox Account were affected by Heartbleed. Their servers ran in AWS while encrypted TLS connections terminated on AWS ELB using OpenSSL.

There are a number of tools that can be used to check which specific sites are affected, including Heartbleed test, LastPass Heartbleed checker, or the Qualys SSL Labs test.

Read more on Heartbleed

Editorial standards