Two months after the Heartbleed bug was discovered, at least 300,000 servers remain vulnerable to the exploit.
Heartbleed, discovered by a Google engineer, caused widespread panic and a furious round of server patching by companies worldwide. The security kink impacts OpenSSL and, if exploited, can leak account login details and passwords. What made this bug different, however, is its inherent nature within the OpenSSL framework, an open source project used by thousands of sites online — which left huge numbers of servers on the Web exposed.
Once Heartbleed was publicized, security researcher Robert David Graham from Errata Security found that roughly 600,000 servers were vulnerable to the security flaw. One month later, half of these servers had been patched and protected against Heartbleed, and only 318,239 were left exposed.
However, two months after Heartbleed, 309,197 servers remain unprotected — a patch rate plummeting from double to single percentage digits as only 9,042 new servers have been patched in the last month.
The security researcher says this stagnation means people have stopped even trying to patch systems, and there should be a "slow decrease" in the number of vulnerable systems as older servers are replaced. However, now that the top few thousand companies online have protected themselves, it is unlikely the smaller firms that have not already done so will follow suit.
"Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable," Graham says.
What does this mean for account holders? If you're concerned about account details, used McAfee's free checker to find out if a website is vulnerable. Better still, use a different password for each of your online accounts.