Wednesday, 23 April 2014

Apple Fixes Heartbleed Bug in AirPort Extreme and Time Capsule

Back in early April Apple had told its key web-based services aren't affected by the Heartbleed security vulnerability, but it forgot to mention that some of its hardware — namely, the 2013 AirPort Extreme and Time Capsule — are vulnerable.

Now, the company has released a firmware update that fixes the issue for both products.

Apple describes the bug as follows:

"An out-of-bounds read issue existed in the OpenSSL library when handling TLS heartbeat extension packets. An attacker in a privileged network position could obtain information from process memory. This issue was addressed through additional bounds checking. Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue."

In short, if you have an AirPort Extreme or an AirPort Time Capsule dating from June 2013 or later, you should apply the patch as soon as possible.

Heartbleed is a widespread bug in OpenSSL that allows an attacker to retrieve bits of data from the memory of systems protected by OpenSSL, potentially allowing him to steal passwords and other sensitive information. Most major web companies have announced a fix shortly after the news of the vulnerability went public.

Via 9to5Mac