A little over two months ago, the world watched as thousands of websites rushed to patch a critical security error in the OpenSSL software powering the systems enabling the secure transfer of data across the entire internet. Since then, as most major companies have updated their servers, the issue known as Heartbleed has been largely forgotten.
Unfortunately, it seems as though it may have been forgotten just a little too quick. A new report by the Errata Security blog shows that there are still in excess of 300,000 servers running out-of-date, unpatched versions of OpenSSL that are completely open to attacks derived from the Heartbleed vulnerability.
By scanning port 443, one of the most commonly used server ports, Errata could establish from the server's response which version of OpenSSL it was running and determine if the server was at risk of attack. When the vulnerability was first made public, they scanned the port and found over 600,000 systems were vulnerable.
This decreased to a little over 300,000 a month after the disclosure but worryingly, little has changed since then and 309,197 of the found servers when port 443 was scanned last night were still vulnerable to Heartbleed. The figure is down by just 9,000 since Errata's scan last month.
This is worrying as it shows that many server administrators are simply not taking the time required to patch what is universally regarded to be a very serious security issue. In the meantime, we will have to hope that the bug is not exploited further on systems still vulnerable to it. Errata promises to scan again for vulnerable servers next month, then in six months and then yearly onwards to keep us informed as to how many companies are at risk.