OVER 300,000 SERVERS are still vulnerable to the Heartbleed bug, a month after security researcher Robert David Graham warned about the flaw at his Errata Security news website.
Immediately after the announcement, Graham found that some 600,000 servers were exposed by Heartbleed and then warned of the leaky servers over a month ago, when he said 318,239 systems are still unpatched. Over the weekend, he found that at least 309,197 servers are still vulnerable, meaning that only 9,042 have been patched in the last month to block the exploit.
Because Heartbleed isn't making headline anymore, Graham worries that this means smaller websites aren't bothering to patch vulnerable servers.
"This indicates people have stopped even trying to patch," he said. "We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable."
Graham said that he will scan again next month, then at the six month mark, and then yearly after that to track the progress of servers being patched to fix the Heartbleed bug.
Last month, Graham suspected that some websites were blocking his scans and therefore his study might not be as accurate as it could be, so the reality might be even worse than first thought.
"The numbers are a little strange. Last month, I found 28 million systems supporting SSL, but this month I found only 22 million. I suspect the reason is that this time, people detected my Heartbleed 'attacks' and automatically firewalled me before the scan completed," he added.
Graham's scans do show a halving in the number of vulnerable systems, but that is perhaps more than anyone would have hoped. In total Graham found that 1.5 million systems still support the "heartbeat" feature, and that 300,000 are unpatched.
He suspects that some vulnerabilities persist because of errors during the cleanup process, saying that repeated efforts to tackle Heartbleed could have had the opposite effect. µ
It's time for our regular two-step through the Google news
Bug bounty offer: accepted