June 23, 2014 weblog

Researcher finds over 300,000 servers still Heartbleed-vulnerable

by Nancy Owano , Tech Xplore

server
Credit: Victorgrigas/Wikideia/ CC BY-SA 3.0

Back in April, discoveries made headlines over a vulnerability in OpenSSL known as Heartbleed. The flaw in OpenSSL, a software library for the protection and security of websites, was uncovered and reported it to the OpenSSL team, triggering widespread awareness and advice on what steps administrators and Web users can take. In June, one can well ask, how are we doing? The answer, according to a security expert tracking the issue, is that many servers remain unpatched and vulnerable. Over half the Heartbleed vulnerable servers are still exposed; at least 309,197 servers are still vulnerable to the exploit; they run unpatched.

Robert Graham, researcher of Errata Security, released those numbers in a blog on Saturday. At the time of the Heartbleed announcement in April, he said there were 600,000 systems vulnerable to Heartbleed. In May, he found that half had been patched; 300,000 were vulnerable. "Last night, now slightly over two months after Heartbleed, we scanned again, and found 300k (309,197) still vulnerable. This is done by simply scanning on port 443, I haven't check [sic] other ports."

Those numbers indicated to Graham that "people have stopped even trying to patch. We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable." He said he will scan again in July and also at the six-month mark, then yearly, to track progress.

Following the news of Heartbleed in April, users generally were told that as a safety measure they might choose to use a different password everywhere instead of a blanket password for numerous sites they access and to avoid older, less maintained sites that may not have patched Heartbleed. System administrators were advised to update versions of SSL and to revoke compromised keys and reissue new keys.

Placing the Heartbleed events in perspective, Greg Kumparak, mobile editor at TechCrunch, said on Sunday that "There's a really good reason why security researchers were so spooked by the Heartbleed bug: there's just no silver bullet. Even if we somehow banded together to get most of the world's systems patched, a big chunk of the Internet would likely be left vulnerable. Sure enough, Heartbleed beats on."

More information: blog.erratasec.com/2014/06/300 … wo.html#.U6dgO_kZMhb

© 2014 Tech Xplore

Citation: Researcher finds over 300,000 servers still Heartbleed-vulnerable (2014, June 23) retrieved 23 April 2024 from https://techxplore.com/news/2014-06-servers-heartbleed-vulnerable.html
This document is subject to copyright. Apart from any fair dealing for the purpose of private study or research, no part may be reproduced without the written permission. The content is provided for information purposes only.

Explore further

Heartbleed bug shutters more Canadian gov't websites
900 shares

Feedback to editors
How potatoes, corn and beans led to breakthrough in smart windows technology

15 minutes ago
A new framework to generate human motions from language prompts

3 hours ago
New metasurface innovation unlocks precision control in wireless signals

17 hours ago
Neural networks can mediate between download size and quality, according to researcher

18 hours ago
A win-win approach: Maximizing Wi-Fi performance using game theory

18 hours ago
Plasma treatment enhances electrode material for fuel cells in industry, homes and vehicles

22 hours ago
People, not design features, make a robot social

23 hours ago
An ultralow-concentration electrolyte for lithium-ion batteries

Apr 22, 2024
A coffee roastery in Finland has launched an AI-generated blend. The results were surprising

Apr 21, 2024
Microsoft teases lifelike avatar AI tech but gives no release date

Apr 20, 2024
Load comments (1)