What versions of OS X are affected by Heartbleed?

What versions of OS X come default with the affected versions of OpenSSL?

All Internet traffic right now is clogged with the same generic information in regards to the Heartbleed bug, without any attention paid to Macintosh in the environment. I am looking for information on Mac OS X client as well as Mac OS X server. Right now it's impractical for me to check all the Macs in the environment for their specific version of OpenSSL, but I already have the Mac OS X version information for the affected machines.


Solution 1:

No versions of OS X are affected (nor is iOS affected). Only installing a third party app or modification would result in a Mac or OS X program having that vulnerability / bug in OpenSSL version 1.0.x


Apple deprecated OpenSSL on OS X in December of 2012 if not earlier. No version of OpenSSL that is vulnerable to CVE-2014-0160 (a.k.a the Heartbleed Bug)

Apple provides several alternate application interfaces that provide SSL to Mac developers and has this to say about OpenSSL:

OpenSSL does not provide a stable API from version to version. For this reason, although OS X provides OpenSSL libraries, the OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS. Use of the OS X OpenSSL libraries by apps is strongly discouraged.

Specifically, the latest version of OpenSSL shipped by Apple is OpenSSL 0.9.8y 5 Feb 2013 which does not appear to have the bug from newer versions of OpenSSL back ported to the code for Apple's version of the library.

The PDF of this documentation has some clearly written advice for developers and some sections that's useful for professionals or the security minded user as well.

  • OpenSSL for Mac Developers and PDF version of Apple's Cryptographic Services Guide

Considering this, the only remaining issue would be additional software that were built against OpenSSL, e.g. several in Homebrew (brew update followed by brew upgrade) or MacPorts (port self update followed by port upgrade openssl) to update to the patched 1.x version of openSSL.

Also, you could use mdfind/mdls to check on files named openssl in case you have other applications that bundle that library as Apple recommends rather than depending on the "safe" version Apple still ships with OS X.

for ff in `mdfind kMDItemFSName = "openssl"`; do echo "#### $ff"; mdls $ff | grep kMDItemKind; done

Solution 2:

I have run openssl version on every Mac I could get my hands on1 and all of them show:

OpenSSL 0.9.8y 5 Feb 2013

…including the current latest version: OS X 10.9.2.

Therefore I can conclude that no version of OS X is affected by Heartbleed.

1 and also ones I couldn't and just had SSH — still tested though, production machines are important! All in all I tested around 30 machines with various versions of OS X.

Solution 3:

While OS X doesn't ship with the affected releases of OpenSSL, it's still strongly encouraged to do a openssl version in case one may have been installed as part of some third party package.

For example, my computer reported OpenSSL 1.0.1f 6 Jan 2014 because it had been included as a dependency for something I had installed through MacPorts. sudo port upgrade outdated solved this, of course.