updated 02:42 pm EDT, Mon June 23, 2014
Only 9,000 servers patched OpenSSL bug since May scan for vulnerable systems
It appears that the updates for servers running a version of OpenSSL susceptible to the Heartbleed bug reached a stalling point this month. Security researching firm Errata Security updated their monthly scan numbers to find that over 300,000 servers are still open to attacks through the Heartbeat feature. These systems can still give up SSL keys, passwords or credit card numbers to those that know how to manipulate the bug.
The number is still a significant decrease of the initial numbers when the Heartbleed bug was first discovered in April. However, it is a drop of 9,042 servers from May (318,239 versus 309,197) based on the criteria of Errata Security's scan parameters. No new numbers were addressed on the number of SSL handshakes, or the number of systems supporting SSL during the scanning process.
"This indicates people have stopped even trying to patch," says Errata Security's Robert Graham. "We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable."
Graham kept tabs on the system patches by running a scan on port 443. Previously, he said that these scans were done only on IPv4 addresses. Other ports haven't been checked, leaving the possible number still open to attack to be even higher.
With such a high number of servers still open to exploitation of the SSL flaw, there are still serious security implications on the horizon. Internet surfers are left to still exercise caution in which sites as visited, as well as checking for updated patches on sites that are frequented. While most large sites have most likely patched due to the nature and publicity surrounding the bug, smaller sites or those with poor security practices could remain vulnerable for some time.
When questioned about reaching out to these sites, Graham indicated that the process of informing those still vulnerable "would cause more problems than it would solve." If a publicized list of sites open to attack were listed, it would probably do more damage than good if sites weren't fast enough to issue updates. He did not address the possibility of contacting the server owners privately.
Graham stated that he would conduct another series of scans for vulnerable systems in July, before he switches over to a six-month scan. Afterward, it will be a yearly scan to search for patched OpenSSL servers.