Heartbleed still a threat: Over 300,000 servers remain exposed
Two months after the infamous bug was discovered, more than half of vulnerable servers remain unpatched.
Two months after the Heartbleed bug was discovered, at least 300,000 servers remain vulnerable to the exploit.
Heartbleed, discovered by a Google engineer, caused widespread panic and a furious round of server patching by companies worldwide. The security kink impacts OpenSSL, an open-source software for encrypting information across the Web, and, if exploited, can leak account log-in details and passwords. What made this bug different: its inherent nature within the OpenSSL framework, which is used by thousands of websites, left huge numbers of servers on the Web exposed.
Once Heartbleed was publicized, security researcher Robert David Graham from Errata Security found that roughly 600,000 servers were vulnerable to the security flaw. One month later, half of these servers had been patched and protected against Heartbleed, said Graham, and only 318,239 were left exposed.
However, two months after Heartbleed, 309,197 servers remain unprotected -- a patch rate plummeting from double to single percentage digits as only 9,042 new servers have been patched in the last month.
The security researcher says this stagnation means people have stopped even trying to patch systems, and there should be a "slow decrease" in the number of vulnerable systems as older servers are replaced. However, now that the top few thousand companies online have protected themselves, it is unlikely the smaller firms that have not already done so will follow suit.
"Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable," Graham says.
What does this mean for account holders? If you're concerned about account details, used McAfee's free checker to find out if a website is vulnerable. Better still, use a different password for each of your online accounts.
This story originally appeared as "Heartbleed: Over 300,000 servers still exposed" on ZDNet.