Apple Releases AirPort Extreme and Time Capsule Firmware Update 7.7.3 With Heartbleed Fix

Tuesday April 22, 2014 2:46 PM PDT by Juli Clover
airport_utility_iconApple today released AirPort Extreme and AirPort Time Capsule Firmware Update 7.7.3 for AirPorts with 802.11ac. The update includes security improvements related to SSL/TLS.
AirPort Base Station Firmware Update 7.7.3
Available for: AirPort Extreme and AirPort Time Capsule base stations with 802.11ac

Impact: An attacker in a privileged network position may obtain memory contents

Description: An out-of-bounds read issue existed in the OpenSSL library when handling TLS heartbeat extension packets. An attacker in a privileged network position could obtain information from process memory. This issue was addressed through additional bounds checking. Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue.
Earlier this month, an OpenSSL bug known as Heartbleed made headlines, with Apple releasing a statement noting that iOS, OS X, and its "key web services" were unaffected by the security flaw, but it appears that the company's AirPort Extreme and AirPort Time Capsule were vulnerable.

The 7.7.3 update is recommended for all models of the AirPort Extreme and Time Capsule that support 802.11ac Wi-Fi, other AirPort base stations do not need to be updated.

63 comments


Top Rated Comments

(View all)
Avatar
iNosey
71 months ago

Hmm airport express not affected?

Let me let you answer that. Does the AirPort Express use 802.11ac? No. Do you even read the article?
Rating: 7 Votes
Avatar
coolfactor
71 months ago
"APPLE SUX! HAHAHAHA"

No, seriously, I wonder how many other routers out there are vulnerable to this and yet will never receive firmware updates because they are too difficult to install, unlike Airport routers?

I wonder if this vulnerability is unique to Airport routers because of the Back to the Mac feature that requires user credentials to stored in order to operate correctly?
Rating: 6 Votes
Avatar
Ralf The Dog
71 months ago

well what do you expect ?
more than a week to figure out that a product is linked with a faulty lib !!
Perhaps they don't read news :p
Good job Apple


Step 1, Find the bug.
Step 2, Fix the bug.
Step 3, Test the fix.
Step 4, Test the fix.
Step 5, Test the fix.
Step 6, Test the fix.
Step 7, Release the fix.
Rating: 5 Votes
Avatar
PsyOpWarlord
71 months ago

This is something I was also wondering, I just checked and their does not seem to be any updates for them. Hopefully they are not affected.


Did you read the article?

Only AirPort Extreme and AirPort Time Capsule base stations with 802.11ac are affected, and only if they have Back to My Mac or Send Diagnostics enabled. Other AirPort base stations are not impacted by this issue.
Rating: 5 Votes
Avatar
pgiguere1
71 months ago
Does anybody know if 802.11n AirPort Extremes need a HeartBleed patch?
Rating: 4 Votes
Avatar
csixty4
71 months ago

No. It's the SSL bug, which has nothing to do with AC vs N.


There's a good chance the firmware for 802.11n routers was never updated to use OpenSSL 1.0.1, which is where the "Heartbleed" bug was introduced. OpenSSL 0.98 and 1.0.0 were actively maintained in separate branches and had security patches back-ported. As long as the older routers didn't need the new features introduced in 1.0.1, it would be silly to upgrade the firmware just to upgrade.
Rating: 4 Votes
Avatar
rudigern
71 months ago

There is nothing to test, because it has been tested ad nauseum by thousands of people worldwide.


You don't do software development do you. Firmware is especially fragile because if it doesn't work, you could have all your customers lined out the front of your store with bricked Airports.
Rating: 4 Votes
Avatar
ColemanCDA
71 months ago

"APPLE SUX! HAHAHAHA"

No, seriously, I wonder how many other routers out there are vulnerable to this and yet will never receive firmware updates because they are too difficult to install, unlike Airport routers?

I wonder if this vulnerability is unique to Airport routers because of the Back to the Mac feature that requires user credentials to stored in order to operate correctly?


Now that I think of it I highly doubt it. Most routers that don't update firmware remotely are screwed.
Rating: 3 Votes
Avatar
C DM
71 months ago

You don't seem to realise it, but the bug has already been found (its in the OpenSSL library used by 2/3 of servers out there) and fixed on 7. of April by the OpenSSL team. Fixing it in the router involves downloading the patched source code and recompiling the router firmware - its literally takes five minutes. There is nothing to test, because it has been tested ad nauseum by thousands of people worldwide.

Its a disgrace that Apple actually took several weeks to release the fix, AFTER the existence of the bug has become common knowledge. Such things should be an absolute priority!

----------



True, but the delay in fixing it is still quite irresponsible...

Is recompiling against a recompiled source something that is guaranteed not to affect anything else whatsoever, or could there be some unknown/undesirable side-effects that no one would really know about without testing out various scenarios to see if they would still work properly or not?
Rating: 3 Votes
Avatar
LastLine
71 months ago

Step 1, Find the bug.
Step 2, Fix the bug.
Step 3, Test the fix.
Step 4, Test the fix.
Step 5, Test the fix.
Step 6, Test the fix.
Step 7, Release the fix.

You forgot

step 6.5 submit for review, wait a week
Rating: 2 Votes
[ Read All Comments ]