It is much more important to know what sort of patient has a disease than what sort of disease a patient has - Sir William Osler
WEEKS AFTER the worst thing to happen to the internet since selfies, and web servers are still suffering from the fallout of the Heartbleed vulnerability.
Heartbleed shook the industry like a bear might a salmon. It caused most companies to come forward and issue alerts and patches. Some laggard servers remain though, and according to security research over 300,000 are still vulnerable to exploitation.
Robert Graham, writing at his Errata Security news website, said that his studies had uncovered many unpatched systems. He added that he had expected to find more, but suspected that some websites were blocking his scans and therefore his study might not be as accurate as it could be.
"It's been a month since the Heartbleed bug was announced, so I thought I'd rescan the internet (port 443) to see how many systems remain vulnerable. Whereas my previous scan a month ago found 600,000 vulnerable systems, today's scan found roughly 300,000 thousand systems (318,239 to be precise)," he said.
"The numbers are a little strange. Last month, I found 28 million systems supporting SSL, but this month I found only 22 million. I suspect the reason is that this time, people detected my Heartbleed 'attacks' and automatically firewalled me before the scan completed."
Graham's scans do show a halving in the number of vulnerable systems, but it is perhaps more than anyone would have hoped. In total Graham found that 1.5 million systems still support the "heartbeat" feature, and that 300,000 are unpatched.
He suspects that some vulnerabilities persist because of errors during the clean-up process, saying that repeated efforts to tackle Heartbleed could have had the opposite effect.
"Last month, I found [one] million systems supporting the "heartbeat" feature (with one third patched). This time, I found 1.5 million systems supporting the "heartbeat" feature, with all but the [300,000] patched," he added.
"This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled." µ
Sign up for INQbot – a weekly roundup of the best from the INQ