June 23, 2014

Vulnerabilities Remain As Many Servers Go Unpatched After Heartbleed Was Discovered

Peter Suciu for redOrbit.com - Your Universe Online

The Heartbleed beats on. More than two months after the Heartbleed vulnerability was discovered, it continues to linger, and the exact extent of the security hole remains worrisome. This past weekend security researcher David Graham of Errata Security announced that more than 300,000 servers are likely still vulnerable to the exploit.

Graham added that after the discovery of the vulnerability some 600,000 servers were exposed by Heartbleed and within a month nearly half were patched or updated. That seemed like real progress. However, since the initial wave of efforts to patch the holes, the efforts have fallen to a trickle.

"When the Heartbleed vulnerability was announced, we found 600k systems vulnerable. A month later, we found that half had been patched, and only 300k were vulnerable," Graham wrote on the Errata Security blog on Saturday. "Last night, now slightly over two months after Heartbleed, we scanned again, and found 300k (309,197) still vulnerable. This is done by simply scanning on port 443, I haven't check [sic] other ports.

"This indicates people have stopped even trying to patch," Graham added. "We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable. I'll scan again next month, then at the 6 month mark, and then yearly after that to track the progress."

It is hard to fathom that only about 9,000 servers were actually patched in the past month. That means only three percent of the servers that still had the vulnerability were patched in the second month after the security hole was revealed. Various websites have called out the efforts to address the problem.

"It's safe to assume that most of the bigger sites have been patched," write Pranav Dixit for Gizmodo on Sunday. "But the fact that more than half the servers haven't bothered to implement the fix should give you cause for concern. Heartbleed, after all, was little more than a dumb coding mistake that could easily be exploited by hackers to get all sorts of sensitive information like usernames, passwords, encryption keys and more from websites."

TechCrunch noted that "progress is progress," but added that the progress has reached a plateau.

"What this means, oversimplified: while almost all of the Internet's most popular sites (the top 1000 or so — the biggest, most obvious targets for attackers) are no longer vulnerable, lots and lots of smaller sites/systems are still at risk," Greg Kumparak wrote for TechCrunch on Sunday. "And based on the patch rate just 2 months later, after the appropriately huge hype surrounding the bug has tapered, that… probably won't ever change."

Heartbleed is the nickname for a flaw in OpenSSL, an open source cryptographic library that enables SSL (Secure Sockets Layer) or TLS (Transport Security Layer) encryption. It isn't actually a virus, but rather a flaw that could be exploited to capture usernames, passwords and, most worrisome of all, encryption keys used by site servers. It was reportedly introduced in OpenSSL in late 2011.