Earlier this week it came to light that a widely used encryption software, OpenSSL, has a major security flaw, now known as Heartbleed. Apple today announced that iOS, OSX and other key web services were not affected by the vulnerability.
Heartbleed was discovered independently by a team of security engineers at Codenomicon and by Neel Mehta of Google Security, both of whom reported it to the OpenSSL team. Officially designated as CVE-2014-0160, the Heartbleed bug allows hackers to steal information that would otherwise be encrypted by OpenSSL, the most popular open source cryptographic library used to encrypt internet traffic. At risk are security keys, usernames, passwords, emails, instant messages and documents among other pieces of
information. Both Apache and nginx (open source web servers) use OpenSSL, and seeing as how just those two have a 66% market share in all active websites, you are probably at least indirectly affected. According to security blogger Bruce Schneier, "'Catastrophic' is the right word. On the scale of 1 to 10, this is an 11."
Speaking to Mike Isaac of Re/code, Apple said that they "[take] security very seriously. iOS and OS X never incorporated the vulnerable software and key Web-based services were not affected." Other major companies such as Google, Facebook and Yahoo admitted that there may have been times when their services were vulnerable.
On a positive note, the flaw has already been patched by OpenSSL, administrators now have to update their sites. You'll have to get all new security certificates, key pairs and passwords to make sure you aren't vulnerable. At least your iTunes and iCloud passwords should be safe though.