As you may be aware, the “Heartbleed” bug in OpenSSL has made the rounds across the internet. As soon as it was disclosed this week we began an investigation to see where we were impacted. Xojo.com services were updated and our SSL certificate was quickly reissued. Xojo Cloud servers were also rapidly updated. This does mean that (like many sites) we were potentially vulnerable for a time until the patch was released.
As of this posting, we are not aware of any exploit in our services. Still, our recommendation is that you change your passwords on commonly used websites- including Xojo.com– now that many sites have been patched. As you do so, please remember not to reuse the same password across every site to keep yourself secure.
The Xojo product itself uses OpenSSL in its secure sockets and we began researching what versions might have this vulnerability. Mac and Linux apps built with Xojo are not vulnerable. We did find a limited scenario where Windows apps could potentially be vulnerable. The specific case is when all of the following are true:
- Your app is built with Xojo 2013r4 or 2014r1. Apps built with older or newer versions of Xojo are not impacted.
- Your app is built for- and running on- Windows
- Your app uses secure sockets (SSLSocket, SMTPSecureSocket, POP3SecureSocket, HTTPSecureSocket, PostgreSQLDatabase w/SSL, or is a standalone web app that uses an SSL certificate)
We’ve addressed this in Xojo 2014r1.1 which is now in the final phase of testing and will be publicly released soon. If you have any apps that run on Windows and meet the above criteria, we recommend that you rebuild your application and update it using 2014r1.1.