The Application Threat Intelligence Team Members Discuss the Facetime and Heartbleed Updates
Author: David Avery
The FaceTime vulnerability, introduced in February 2014 through a single line of errant code that allowed attackers to bypass SSL/TLS verification routines, made OS X users vulnerable to a man-in-the-middle attack. Shared wired or wireless networks allowed an attacker to intercept communications on affected machines, acquire sensitive information like login credentials and passwords, or inject harmful malware.
Heartbleed is a security bug disclosed in April 2014 in the OpenSSL cryptography library (a widely used implementation of the Transport Layer Security (TLS) protocol). Heartbleed capitalizes on improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension—thus the bug's name. The vulnerability is classified as a buffer over-read, where software allows more data to be read than should be allowed.
Both of these issues were major breaches in that they exploited common and virtually omnipresent OS structures.