Last month, a new security flaw came to light known as HeartBleed. HeartBleed is a flaw in a widely used cryptography package, and was found to affect around 600,000 servers worldwide. It could be used to acquire passwords, login info, and even encryption data. According to Ars Technica, two recent estimates show that it is still prevalent today.
As of a little more than four weeks ago, a scan performed by the CEO of Errata Security, Rob Graham had found that about 615,268 were vulnerable to this attack, and on Thursday, another scan showed a little more than half the previous amount were affected; about 318,239 servers which still run the OpenSSL crypto library that enables the "Heartbeat" feature where the flaw lies encased in the code. Although a separate scan was performed with somewhat varied techniques, which suggested that slightly less than half of the servers believed to be affected still remain subject to exploitation. The tool which had been used was named the TLS Prober by a researcher known as Yngve. Using this tool, he found that 5.36% of all servers were affected by HeartBleed as of April 11, only a few days after the exploit had been disclosed. In his latest blog post, he claimed that 2.33% of servers are still affected today. Although this number does not include servers which provide a VPN or email service.
Yngve had also stated that the number of servers using vulnerable encryption accelerators manufactured by F5 had not changed by much, and that the reason may be due to new F5 BigIP systems coming up that are still vulnerable to the HeartBleed attack. The researcher stated that "As BigIP servers are used by sites serving large number[s] of users, this represents a significant security problem for those users." He added that out of the sites that have been patched in the past month, an estimated two-thirds of websites may not have revoked their old certificates to create updated versions. Ars Technica had stated that updating OpenSSL software is only the first step to closing the HeartBleed security flaw.