AAPL Stock: 117.81 ( -0.22 )

Printed from

Heartbleed bug still an issue for over 300,000 servers after 60 days

updated 02:42 pm EDT, Mon June 23, 2014

Only 9,000 servers patched OpenSSL bug since May scan for vulnerable systems

It appears that the updates for servers running a version of OpenSSL susceptible to the Heartbleed bug reached a stalling point this month. Security researching firm Errata Security updated their monthly scan numbers to find that over 300,000 servers are still open to attacks through the Heartbeat feature. These systems can still give up SSL keys, passwords or credit card numbers to those that know how to manipulate the bug.

The number is still a significant decrease of the initial numbers when the Heartbleed bug was first discovered in April. However, it is a drop of 9,042 servers from May (318,239 versus 309,197) based on the criteria of Errata Security's scan parameters. No new numbers were addressed on the number of SSL handshakes, or the number of systems supporting SSL during the scanning process.

"This indicates people have stopped even trying to patch," says Errata Security's Robert Graham. "We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable."

Graham kept tabs on the system patches by running a scan on port 443. Previously, he said that these scans were done only on IPv4 addresses. Other ports haven't been checked, leaving the possible number still open to attack to be even higher.

With such a high number of servers still open to exploitation of the SSL flaw, there are still serious security implications on the horizon. Internet surfers are left to still exercise caution in which sites as visited, as well as checking for updated patches on sites that are frequented. While most large sites have most likely patched due to the nature and publicity surrounding the bug, smaller sites or those with poor security practices could remain vulnerable for some time.

When questioned about reaching out to these sites, Graham indicated that the process of informing those still vulnerable "would cause more problems than it would solve." If a publicized list of sites open to attack were listed, it would probably do more damage than good if sites weren't fast enough to issue updates. He did not address the possibility of contacting the server owners privately.

Graham stated that he would conduct another series of scans for vulnerable systems in July, before he switches over to a six-month scan. Afterward, it will be a yearly scan to search for patched OpenSSL servers.

by MacNN Staff



Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented