Here's How Apple Avoided Heartbleed

Apple (NASDAQ: AAPL  ) earned another feather for its cap last week when it became apparent that iOS and OS X web services were not exposed to the Heartbleed security flaw that affected millions of websites. Over the years, Apple has been criticized for tightly controlling its ecosystem. But this time, it clearly benefited developers and infrastructure managers.

Apple didn't know about the flaw in advance, but it avoided a problem many reputable companies fell victim to, and it did so by being cautious about the lack of controls around open-source updates. Chance favors the prepared.

Heartbleed's vulnerability was from trusting a handshake
Ronald Reagan used the phrase "trust, but verify" when describing foreign policy. That phrase might sum up the issue that recently plagued the open-source community. OpenSSL, is a security protocol that tells your computer and the server what they are connected to. Once the connection is made, they exchange data to make sure the connection is still valid. This extra traffic is known as a heartbeat.

The problem arose from this heartbeat. OpenSSL copies data over an existing array without verifying the length of the packet. Since the server didn't verify that the amount of information being requested matches the size of the request packet, the client can ask for more information than it needs.

To a program, this looks like a mistake, which is probably why it went unnoticed for so long. But it opened the door for hackers to ask for more information than they sent over. For example, if the hacker tells a server that the client sent 10 bits of information, but it actually sent only one, he will get back his one bit of information plus nine other bits of extra data from a prior transaction. The nine other bits of information are random data, but they may contain a password, email address, or bank account number.

Heartbleed has been hidden in OpenSSL for years, but how big a risk it is became apparent only recently. The vulnerability opens the door to hackers tapping huge amounts of data, including passwords, credit card information, addresses, Social Security numbers, etc. 

Apple, the benevolent dictator
Apple has been accused of dictating policy to its development community. But sometimes, tight control can be a good thing, even if it can be frustrating. Apple switched to Common Crypto and "depreciated" OpenSSL in 2011 in an effort to avoid application crashes. The concern at the time was version compatibility between apps and OpenSSL libraries. If an update was pushed out unevenly to users of an application, Apple thought that applications could break as a result of the inconsistencies between versions of OpenSSL. The company described it using the following language:

Although OpenSSL is commonly used in the open source community, OpenSSL does not provide a stable API from version to version. For this reason, although OS X provides OpenSSL libraries, the OpenSSL libraries in OS X are deprecated, and OpenSSL has never been provided as part of iOS. Use of the OS X OpenSSL libraries by apps is strongly discouraged .

Bruce Schneier, a data-security expert and veteran in the financial services industry, described it as a catastrophic bug that ranked 11 out of 10 on the threat scale.  The problem was widespread and not a security indictment of any one firm, as many prestigious companies have been forced to update their software on the fly to plug the leak.

Besides reminding us that a million eyes looking at the same thing can overlook a problem, it also reminds us of a quote from Only the Paranoid Survive: "Anything that can be done in technology will be done."

There's much more to be done, indeed, and you can profit from it
Let's face it, every investor wants to get in on revolutionary ideas before they hit it big. Like buying PC-maker Dell in the late 1980s, before the consumer computing boom. Or purchasing stock in e-commerce pioneer Amazon.com in the late 1990s, when it was nothing more than an upstart online bookstore. The problem is, most investors don't understand the key to investing in hyper-growth markets. The real trick is to find a small-cap "pure-play" and then watch as it grows in EXPLOSIVE lockstep with its industry. Our expert team of equity analysts has identified one stock that's poised to produce rocket-ship returns with the next $14.4 TRILLION industry. Click here to get the full story in this eye-opening report.


Read/Post Comments (3) | Recommend This Article (6)

Comments from our Foolish Readers

Help us keep this a respectfully Foolish area! This is a place for our readers to discuss, debate, and learn more about the Foolish investing topic you read about above. Help us keep it clean and safe. If you believe a comment is abusive or otherwise violates our Fool's Rules, please report it via the Report this Comment Report this Comment icon found on every comment.

  • Report this Comment On April 16, 2014, at 8:26 PM, jeffhre wrote:

    Apple switched to Common Crypto and "depreciated" OpenSSL in 2011" - is that supposed to be deprecated or am I just to old to know the difference.

  • Report this Comment On April 19, 2014, at 3:56 AM, imvho wrote:

    No, they wrote 10% of it off their taxes and they will continue to do so for the next 9 years!

    Of course it's deprecated, which applies to older functions which are no longer recommended. As a software engineer, I see the term all the time. But journalists might not be familiar with it.

    So anyway, thanks for an interesting and informative article!

  • Report this Comment On April 19, 2014, at 7:12 AM, SmartManQ8 wrote:

    Thanks for sharing this. Very informative

Add your comment.

Sponsored Links

Leaked: Apple's Next Smart Device
(Warning, it may shock you)
The secret is out... experts are predicting 458 million of these types of devices will be sold per year. 1 hyper-growth company stands to rake in maximum profit - and it's NOT Apple. Show me Apple's new smart gizmo!

DocumentId: 2918125, ~/Articles/ArticleHandler.aspx, 9/30/2014 11:58:40 AM

Report This Comment

Use this area to report a comment that you believe is in violation of the community guidelines. Our team will review the entry and take any appropriate action.

Sending report...


Advertisement