Apple releases Heartbleed fix for AirPort Base Stations
Apple on Tuesday patched a bug in its most recent AirPort Extreme and Time Capsule models related to the Heartbleed OpenSSL vulnerability discovered earlier this month.
The update, AirPort Base Station Firmware Update 7.7.3, is only for the AirPort Extreme and Time Capsule base stations with 802.11ac, introduced in June 2013, and fixes a vulnerability that existed only when the Back to My Mac feature was turned on.
Apple provided this statement to Macworld regarding the update:
The firmware update provides a fix for the recent OpenSSL vulnerability for the latest generation of 802.11ac enabled AirPort Extreme and AirPort Time Capsule base stations (June 2013). This vulnerability only impacts recent Airport devices that have the Back to My Mac feature enabled. Customers with previous generation AirPort Extreme and AirPort Time Capsules do not need to update their base stations.
The vulnerability would not leak passwords, but could allow a man-in-the-middle attacker between a user and a router to gain access to login screens for a router or a computer. However, in contrast to the vulnerabilities found when OpenSSL software was running on popular Web servers, Apple IDs and other passwords would not be leaked.
If you’re using new AirPort hardware and have Back to My Mac turned on, you should run the update immediately. Older models are unaffected, as are current models with Back to My Mac disabled.