Errata Security: More Than 300K Servers Still Vulnerable to Heartbleed
Two months after its initial discovery, Errata Security has reported 309,197 OpenSSL servers are still vulnerable to the Heartbleed security flaw.
Google (GOOG) and Finnish security firm Codenomicon first discovered Heartbleed in April and said “as long as [a] vulnerable version of OpenSSL is in use, [the flaw] can be abused.”
Here is a full explanation of the vulnerability from the Heartbleed dedicated website:
“The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.”
Errata Security researcher Robert David Graham noted the new data indicates “people have stopped even trying to patch” the vulnerability, despite its risks.
“Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable [to Heartbleed],” Graham wrote in a blog post.
More than 615,000 OpenSSL servers were vulnerable to Heartbleed in May, Graham said.
A Dashlane study released last month also showed several of the world’s most popular websites did not implement even the bare minimum standard security practices after Heartbleed was reported.
Managed service providers (MSPs) have several options to protect their customers against Heartbleed issues, including a free online service from Qualys and Heartbleed vulnerability assessments from CloudPassage with CloudPassage Halo.
Share your thoughts about this story in the Comments section below, via Twitter @dkobialka or email me at dan.kobialka@penton.com.
