Skip to main content

Report: Heartbleed still a threat to thousands of servers

Since it was brought to our attention three months ago, Heartbleed made countless headlines due to the severe dangers it poses. The vulnerability, which affects systems using the OpenSSL library, allows hackers to penetrate affected servers without leaving any trace of their actions behind. Its severity would lead us to assume the people responsible to prevent it from making any (more) damage have already taken all the necessary precautions in this direction.

And, indeed, popular service providers have been quick to address the problem, with the likes of Google, Facebook and Microsoft publicly stating whether the vulnerability could affect their products and users, and issuing patches were needed. This has given us a false sense of security, knowing that the worst has passed. Yet, even today, Heartbleed can still do quite a bit of damage.

Related: A closer look at how Heartbleed actually works

Errata Security analyst Robert Graham says that, of the 600,000 servers Errata Security found to have been vulnerable to Heartbleed at the time of its revealment, three months later 300,000 systems (309,197, to be exact) continue to be unpatched. The analysis was performed by scanning the port 443.

The count remains the same compared to a prior assessment that occurred two months. What does this tell us?

"This indicates people have stopped even trying to patch", says Graham. It is worrying, but a plausible scenario. The Heartbleed pool of affected servers should be growing smaller in the coming decade, estimates the security analyst who believes that its potential impact will decrease alongside the replacing of older systems. "Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable", adds Graham.

Graham also says that he will "scan again next month, then at the 6 month mark, and then yearly after that to track the progress". When asked if the owners of the affected servers have been contacted, the security analyst said no as this "would cause more problems than it would solve". No list of "guilty" systems has been provided, so tread carefully.