How would a hacker gain access if you are not running a service that listens for connections?
Bitcoin 0.9.0 and earlier was vulnerable if you used the remote RPC feature but not if you didn't (edited brain fart)
I agree he should update OpenSSL library, but his computer is only vulnerable if he has services listening.
Actually version 0.9.0 has an additional vulnerability not present in 0.8.x (so OP's version isn't affected). Version 0.9.0 added support for the
payment protocol (BIP70) and for
payment protocol URIs (BIP72). If an attacker could convince you to to click on a BIP72 payment link, Bitcoin Core would establish an SSL connection to a remote server under the attacker's control which could then exploit Heartbleed.
The general advice is that if you've ever clicked on any payment link before while having version 0.9.0 installed, you should upgrade and then recreate your wallet, and stop using your old receiving addresses.