300k servers still vulnerable to Heartbleed

A little over two months ago, the world watched as thousands of websites rushed to patch a critical security error in the OpenSSL software powering the systems enabling the secure transfer of data across the entire internet. Since then, as most major companies have updated their servers, the issue known as Heartbleed has been largely forgotten.

Unfortunately, it seems as though it may have been forgotten just a little too quick. A new report by the Errata Security blog shows that there are still in excess of 300,000 servers running out-of-date, unpatched versions of OpenSSL that are completely open to attacks derived from the Heartbleed vulnerability.

By scanning port 443, one of the most commonly used server ports, Errata could establish from the server's response which version of OpenSSL it was running and  determine if the server was at risk of attack. When the vulnerability was first made public, they scanned the port and found over 600,000 systems were vulnerable.

This decreased to a little over 300,000 a month after the disclosure but worryingly, little has changed since then and 309,197 of the found servers when port 443 was scanned last night were still vulnerable to Heartbleed. The figure is down by just 9,000 since Errata's scan last month.

This is worrying as it shows that many server administrators are simply not taking the time required to patch what is universally regarded to be a very serious security issue. In the meantime, we will have to hope that the bug is not exploited further on systems still vulnerable to it. Errata promises to scan again for vulnerable servers next month, then in six months and then yearly onwards to keep us informed as to how many companies are at risk.

Source: Errata Security | Image via Netkandi

Report a problem with article
Previous Story

Judge Koh may not approve $324M settlement against Apple, Google, Intel, and Adobe

Next Story

Bing will soon no longer suck outside the USA

9 Comments

Commenting is disabled on this article.

Usually it's very easy to update or patch openssl, but I believe some percentage of those servers are custom versions of SSL which are custom patched but they still report vulnerable due the version check. It depends a bit of the type of scanner that is used. Most heartbleed scanners just check for the openssl version, they don't actually check for the vulnerability.

Any server admins who don't patch big public holes like this shouldn't be in the job, they're just lazy, ignorant or both, and don't care what happens to people's data.

Are they servers of importance though or just like general forums, news sites that kind of thing, nothing like a shop or where personal data is communicated.. I hope..

SuperKid said,
Are they servers of importance though or just like general forums, news sites that kind of thing, nothing like a shop or where personal data is communicated.. I hope..

many people use the same credentials between forums. this becomes a big problem very quickly

seta-san said,
many people use the same credentials between forums. this becomes a big problem very quickly

While I'm not gonna go all the way to say this isn't a site administrator's problem, I *will* say that people who do that get what they deserve.

_Alexander said,
If anything like where I work, this is due to staggering levels of mismanagement.

Exactly; Sometimes management doesnt care about these sort of these (regardless of sending dozens of emails) and just doesnt want any downtime.