When the Heartbleed bug was announced, it shook the world of cyber security. Not only did it shake the world of cyber security, it shook the spectrum of security worldwide. A security researcher has recently unveiled that nearly two months later, 300,000 servers are still found vulnerable to the Heartbleed bug.
When Heartbleed struck, it was panic in the cyber security world. Banks, governments, email providers, and just about any service that utilized encryption was updating their OpenSSL versions. If the bug wasn’t bad enough, a document leaked showed that the NSA abused the Heartbleed bug for over two years.
Now two months later after the Heartbleed cool down, a researcher found that nearly 300,000 servers are still vulnerable to the Heartbleed bug. Two months ago, over 600,000 servers were found vulnerable after the initial release of Heartbleed. In May, the exact researcher found 318,239 sites to be vulnerable. With the new research, exactly 309,197 are still vulnerable in June. This means in one months time, only 9,042 were patched.
Errata, the researcher, did not release any information on what websites or servers were found vulnerable, only a number.
He was able to discover that the sites were vulnerable by scanning on port 443, one of the most commonly used server ports. From there Errata was able to establish from the server’s response which versions of OpenSSL it was running and determine if it was vulnerable to attack. Errata writes he did not scan other ports, just the commonly used 443 port.
“This indicates people have stopped even trying to patch. We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable. I’ll scan again next month, then at the 6 month mark, and then yearly after that to track the progress.”
As the number decreases it is still worrying that many websites and servers are still vulnerable. Exactly 309,197 servers were vulnerable from Errata’s scan just last night. The worry is that server administrators are not taking the time to implement proper security measures or even patch their systems. As the number is slowly declining, Errata promises to scan during the coming months, and we can only hope the number comes to near zero.