Researcher finds over 300,000 servers still Heartbleed-vulnerable

June 23, 2014 by Nancy Owano weblog
Credit: Victorgrigas/Wikideia/ CC BY-SA 3.0

Back in April, discoveries made headlines over a vulnerability in OpenSSL known as Heartbleed. The flaw in OpenSSL, a software library for the protection and security of websites, was uncovered and reported it to the OpenSSL team, triggering widespread awareness and advice on what steps administrators and Web users can take. In June, one can well ask, how are we doing? The answer, according to a security expert tracking the issue, is that many servers remain unpatched and vulnerable. Over half the Heartbleed vulnerable servers are still exposed; at least 309,197 servers are still vulnerable to the exploit; they run unpatched.

Robert Graham, researcher of Errata Security, released those numbers in a blog on Saturday. At the time of the Heartbleed announcement in April, he said there were 600,000 systems vulnerable to Heartbleed. In May, he found that half had been patched; 300,000 were vulnerable. "Last night, now slightly over two months after Heartbleed, we scanned again, and found 300k (309,197) still vulnerable. This is done by simply scanning on port 443, I haven't check [sic] other ports."

Those numbers indicated to Graham that "people have stopped even trying to patch. We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable." He said he will scan again in July and also at the six-month mark, then yearly, to track progress.

Following the news of Heartbleed in April, users generally were told that as a safety measure they might choose to use a different password everywhere instead of a blanket password for numerous sites they access and to avoid older, less maintained sites that may not have patched Heartbleed. System administrators were advised to update versions of SSL and to revoke compromised keys and reissue new keys.

Placing the Heartbleed events in perspective, Greg Kumparak, mobile editor at TechCrunch, said on Sunday that "There's a really good reason why security researchers were so spooked by the Heartbleed bug: there's just no silver bullet. Even if we somehow banded together to get most of the world's systems patched, a big chunk of the Internet would likely be left vulnerable. Sure enough, Heartbleed beats on."

Explore further: Heartbleed bug find triggers OpenSSL security advisory

More information: blog.erratasec.com/2014/06/300k-vulnerable-to-heartbleed-two.html#.U6dgO_kZMhb

Related Stories

Heartbleed bug find triggers OpenSSL security advisory

April 8, 2014

A flaw called Heartbleed in OpenSSL, which is a software library used for the protection and security of millions of websites, was uncovered by Neel Mehta of Google Security, who first reported it to the OpenSSL team, triggering ...

What you need to know about the Heartbleed bug

April 9, 2014

Millions of passwords, credit card numbers and other personal information may be at risk as a result of a major breakdown in Internet security revealed earlier this week.

Recommended for you

Smart home heating and cooling

August 28, 2015

Smart temperature-control devices—such as thermostats that learn and adjust to pre-programmed temperatures—are poised to increase comfort and save energy in homes.

Smallest 3-D camera offers brain surgery innovation

August 28, 2015

To operate on the brain, doctors need to see fine details on a small scale. A tiny camera that could produce 3-D images from inside the brain would help surgeons see more intricacies of the tissue they are handling and lead ...

Team creates functional ultrathin solar cells

August 27, 2015

(Phys.org)—A team of researchers with Johannes Kepler University Linz in Austria has developed an ultrathin solar cell for use in lightweight and flexible applications. In their paper published in the journal Nature Materials, ...

Interactive tool lifts veil on the cost of nuclear energy

August 24, 2015

Despite the ever-changing landscape of energy economics, subject to the influence of new technologies and geopolitics, a new tool promises to root discussions about the cost of nuclear energy in hard evidence rather than ...

1 comment

Adjust slider to filter visible comments by rank

Display comments: newest first

alfie_null
5 / 5 (1) Jun 23, 2014
I don't know how one might goad these intransigent web site operators into fixing their sites. Maybe search engines like Google should derank their pages or include a warning in search results. As a user of Google's search engine, I would certainly find such an action helpful.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.