I’ve read that OSX get’s a pass on this.
What does OSX got to do with this?
This is a server side issue.
It is on the web server side (not your local PC). Sites you use could be compromised (around 500 million sites?). See: http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html
Nope! ....
It isn't necessarily 'server side' either. It could allow someone to 'impersonate' a secure server and intercept data intended to be sent to it.
“Ive read that OSX gets a pass on this.”
I hope that was satire. Perhaps not from a Mac user though... just so you know, the horrific vulnerability exposed a couple of months back in OSX 10 was a client-side exploit unique to Macs that allowed third-parties to view what should have been secure and encrypted communication, and is totally unrelated to this security issue.
Your issue was client-side, this is a different issue server-side. Whatever bandaids Apple may have applied to your Mac has absolutely zero to do with this new exploit, and will do nothing to protect you.
Trying to translate into Mac-User-language, think of it as the difference between someone sitting hopping in your car and looking over your shoulder as you type in your PIN# at the ATM, versus someone being able to electronically harvest any PIN number from any ATM.
The first instance, the client-side Mac exclusive exploit, was simply the fault of Apple and Mac Users. Like manufacturing a car without door locks, buying said car, and not taking any personal security measures to stop someone from hopping into the passenger seat and asking you what’s up.
The second instance is a bit more like ATM manufacturers using a method of encrypting and storing PIN numbers that someone was able to decode, allowing unauthorized persons to view data that should be securely encrypted.
You can’t really do anything client-side to fix this exploit, nor can Apple do anything. It’s up to each individual webpage or service on the net using the outdated versions of OpenSSL to update their servers to a more recent version of OpenSSL, and reset user passwords.