Heartbleed: Over 300,000 servers still exposed

Heartbleed: Over 300,000 servers still exposed

Summary: Two months after the infamous 'Heartbleed' bug was discovered, over half of vulnerable servers remain unpatched and still exposed.

TOPICS: Security, Servers
Screen Shot 2014-06-23 at 09.56.21

Two months after the Heartbleed bug was discovered, at least 300,000 servers remain vulnerable to the exploit.

Heartbleed, discovered by a Google engineer, caused widespread panic and a furious round of server patching by companies worldwide. The security kink impacts OpenSSL and, if exploited, can leak account login details and passwords. What made this bug different, however, is its inherent nature within the OpenSSL framework, an open source project used by thousands of sites online — which left huge numbers of servers on the Web exposed.

See also: Heartbleed's engineer: It was an 'accident' 

Once Heartbleed was publicized, security researcher Robert David Graham from Errata Security found that roughly 600,000 servers were vulnerable to the security flaw. One month later, half of these servers had been patched and protected against Heartbleed, and only 318,239 were left exposed.

However, two months after Heartbleed, 309,197 servers remain unprotected — a patch rate plummeting from double to single percentage digits as only 9,042 new servers have been patched in the last month.

The security researcher says this stagnation means people have stopped even trying to patch systems, and there should be a "slow decrease" in the number of vulnerable systems as older servers are replaced. However, now that the top few thousand companies online have protected themselves, it is unlikely the smaller firms that have not already done so will follow suit.

"Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable," Graham says.

What does this mean for account holders? If you're concerned about account details, used McAfee's free checker to find out if a website is vulnerable. Better still, use a different password for each of your online accounts.

Topics: Security, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • It may depend on how you determine if the server is vulnerable.

    There are/were options that disabled the vulnerable feature...

    Thus the version number would not change, and making a simple SSL version check incorrect.
    • Citation Needed

      The only mitigation option I am aware of is the compile-time option -DOPENSSL_NO_HEARTBEATS, which isn't used by default. In other words, you can't just change a setting; you have to recompile. If you can do that, you might as well upgrade.

      I also googled their tool. It *appears* to check that the HEARTBEAT option is enabled, but I don't see it clearly spelled out anywhere.

      I think it's say to say that there really are that many vulnerable servers out there.

      If I'm wrong, please cite your source.
      • No - thats the option.

        The problem is that you can't test for the option though.

        The only way to actually test and verify is to actually hack the site - and that is an illegal activity.
      • "Might as well upgrade" not an option for the enterprise.

        For Redhat/CentOS/Oracle Enterprise Linux systems, "Might as well upgrade" doesn't cut it.

        Starting with version openssl-1.0.1e-16.el6_5.7.x86_64, Redhat has mitigated the problem by using the "-DOPENSSL_NO_HEARTBEATS" option. Redhat is not ready to sign off on openssl-1.0.1g with the bounds check on the memcpy.

        Enterprise admins are not in the habit of just updating to the newset version of whatever, whenever, because they are paying Redhat to do the vetting of new packages.

        So like jessepollard says, just a version check for 1.0.1 thru 1.0.1e is not a reliable test.

        However, the article doesn't actually say what test(s) are being used.
  • OK, so....

    I keep hearing about all these "vulnerable servers", yet, unless I've missed it, not one mention of proof that anyone has actually hacked into one and compromised something due to the Heart Bleed vulnerability. They had a test site up with the Heart Bleed problem and challenge people to hack it, and after a week, only 4 people had gotten in. So, is this the usual security hype BS?
    • There is a lot of hype.

      As far as I know, the only "in the wild" exploit of heartbleed was 900 records stolen from Revenue Canada, and the RCMP bagged the offender is less than 3 days of investgation, which leads me to believe log and audit files gave a very complete path back to the offender.

      Security experts have also admitted it is not easy to exploit heartbleed, so for sure, it is mostly hype.
  • Browsers Need to Start Checking for Heartbleed

    I think IE, Firefox, and Chrome should start checking for HEARTBLEED before establishing a SSL/TLS connection. If end-users get alarming warnings, it will light a fire under admins to fix the sites.
    • Agreed!

      Yes you are right! It would be a lot better, especially those who don't have great skills with computers. The main source of accessing the internet, the browser, should handle checks. Add a reporting system too.
  • Regulation

    This cries out for regulation. It's obvious many sites have not taken this seriously. I was very disappointed that a number of the sites I deal with were not clear in whether they were vulnerable and/or what they were doing about it. I had to contact various companies and, even then, it was not easy to get clear info. Overall, industry response was lacking.

    If these companies can get sued or shut down, however, things might change. Sure, this would mean litigation, but the threat of that creates a barrier to entry that would help ensure only people/companies who take security seriously would be offering services. And it does open the door to vulture lawyers, who I don't like and I think should be cracked down on, also, but what we're talking about here is people's online profile. When it is vulnerable to getting stolen, serious damage can occur, including theft of financial assets. Companies not taking this seriously should not be in business and I fully support putting them right out of business as fast as possible.
  • The age old problem and its much wider than heartbleed

    People that don't or can't upgrade their systems. If your in the later group consider yourself a bottom feeder, the former are just too lazy or ignorant go bother. Either way systems still vulnerable to heartbleed are likely vulnerable to any number of other issues they never bothered to fix either.

    Publish the site names so people can avoid them like the plague.
    • You're right about the age old problem.

      There are too many companies unwilling to pay for much needed updating.

      I would not be surpised if many of these 309,000 systems are in the same buildings as many of the IE 6 only web servers. Many companies pay for a web server to be set up, and then fail to budget anything to keep them updated.
  • Site24x7 Heartbleed Check Tool!!

    If you want your websites to be checked for a Heartbleed bug, use Site24x7 Heartbleed Vulnerability Test tool!! Just enter the URL of your website and submit it. Be sure your websites are protected. https://www.site24x7.com/check-heartbleed-vulnerability.html