300,000 Servers Still Vulnerable to Heartbleed OpenSSL Bug
PCMag reports that almost three months after the OpenSSL bug was discovered, 300,000 servers are still vulnerable to the Heartbleed bug. Errata Security found that a total of 309,197 servers are still vulnerable, down from about 600,000 when the vulnerability was announced. However, the data reveals that patch rates have significantly declined from the weeks after Heartbleed was initially publicized. Security researcher Robert Graham of Errata explains:
This indicates people have stopped even trying to patch. We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable.
Errata found the vulnerable servers by scanning port 443 on servers, looking for vulnerabilities. ZDNet reports that only 9,042 new servers have been protected in the past month. That contrasts with the flurry of activity following the bug’s discovery; after the first month, only 318,239 servers of the 600,000 were still vulnerable. VentureBeat reported that within ten days of Heartbleed being publicized, the top 1,000 sites in the world were all properly patched to protect against the bug.
Initially discovered by a Google (NASDAQ:GOOG) (NASDAQ:GOOGL) engineer, Heartbleed leaves huge amounts of encrypted data open to hackers, who could use encryption keys to unlock usernames, passwords, other login details, and information that should be encrypted. Heartbleed’s impact is so wide because OpenSSL, an open source framework, is used by thousands of sites. Mashable reports that the OpenSSL bug sat dormant for two years before it was discovered.
Consumers received a flurry of emails and notifications following the initial reveal of the bug. Many were from sites that were aware of their vulnerability, implemented a patch, and asked users to reset their passwords or login information in case their data was compromised. Those were good emails to receive, and after a site has implemented a patch, users should change their passwords, and create a different password to log in to each site that they use.