More than 300,000 web servers remain at risk from the Heartbleed OpenSSL flaw, two and a half months since it was first uncovered.
Security researchers at Errata Security said that by running a simple scan of servers it found only 9,000 had been patched since the last time it ran a test a month ago, as security researcher at the firm Robert Graham explained.
“When the Heartbleed vulnerability was announced, we found 600,000 systems vulnerable. A month later, we found that half had been patched, and only 318,239 were vulnerable. Last night, now slightly over two months after Heartbleed, we scanned again, and found 309,197 still vulnerable,” he said.
Graham said that as Heartbleed stopped being covered so extensively in the press it appears interest or awareness in patching systems dropped off.
“This indicates people have stopped even trying to patch. We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable.”
Graham said he would continue to run a scan of systems, with one planned for next month, then at the six-month and year mark to see how the number had fallen.
The Heartbleed bug led to much soul-searching in the security community as experts wondered how such a major issue could have lain dormant for so long. Tech firms then stumped up more funding to help the Linux Foundation hire two full-time members of staff to work on the OpenSSL standard.
Since the Heartbleed flaw came to light another major OpenSSL flaw had been uncovered, after 16 years remaining hidden, with the Linux Foundation warning that more flaws could come to light as scrutiny on OpenSSL increases.
The best Black Friday tech bargains out there
Russell Group slammed for misusing student data in donation campaigns
Linus Torvalds is unhappy with current approaches to Linux security
Bug prevents ASLR from randomising location of important data