Printed from http://www.electronista.com

Heartbleed bug still an issue for over 300,000 servers after 60 days

updated 02:42 pm EDT, Mon June 23, 2014

Only 9,000 servers patched OpenSSL bug since May scan for vulnerable systems

It appears that the updates for servers running a version of OpenSSL susceptible to the Heartbleed bug reached a stalling point this month. Security researching firm Errata Security updated their monthly scan numbers to find that over 300,000 servers are still open to attacks through the Heartbeat feature. These systems can still give up SSL keys, passwords or credit card numbers to those that know how to manipulate the bug.

The number is still a significant decrease of the initial numbers when the Heartbleed bug was first discovered in April. However, it is a drop of 9,042 servers from May (318,239 versus 309,197) based on the criteria of Errata Security's scan parameters. No new numbers were addressed on the number of SSL handshakes, or the number of systems supporting SSL during the scanning process.

"This indicates people have stopped even trying to patch," says Errata Security's Robert Graham. "We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable."

Graham kept tabs on the system patches by running a scan on port 443. Previously, he said that these scans were done only on IPv4 addresses. Other ports haven't been checked, leaving the possible number still open to attack to be even higher.

With such a high number of servers still open to exploitation of the SSL flaw, there are still serious security implications on the horizon. Internet surfers are left to still exercise caution in which sites as visited, as well as checking for updated patches on sites that are frequented. While most large sites have most likely patched due to the nature and publicity surrounding the bug, smaller sites or those with poor security practices could remain vulnerable for some time.

When questioned about reaching out to these sites, Graham indicated that the process of informing those still vulnerable "would cause more problems than it would solve." If a publicized list of sites open to attack were listed, it would probably do more damage than good if sites weren't fast enough to issue updates. He did not address the possibility of contacting the server owners privately.

Graham stated that he would conduct another series of scans for vulnerable systems in July, before he switches over to a six-month scan. Afterward, it will be a yearly scan to search for patched OpenSSL servers.



By Electronista Staff
Post tools:

TAGS :

toggle

Comments

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

Sponsor

Recent Reviews

Asus Chromebook C300

When Chromebooks hit the market back in 2011, consumers didn't know what to do with them. The low-cost laptops, powered by Google's Ch ...

Plantronics BackBeat Pro Bluetooth headphones

Looking for a pair of headphones that can do everything a user requires is a task that can take some study. Trying to decide on in-ear ...

Lemur BlueDriver

"Oh no, the check engine light is on…again! What one of the hundreds of reasons could it be this time? Probably going to cost a fort ...

Sponsor

toggle

Most Commented

 
toggle

Popular News