Writing on a blog post over the weekend, Errata Security CEO Robert Graham said that while the initial number of vulnerable servers had dropped by half from 615,268 in April to 318,239 in May, that number has not dropped significantly in the last month.
“When the Heartbleed vulnerability was announced, we found 600,000 systems vulnerable. A month later, we found that half had been patched, and only 300,000 were vulnerable,” wrote Graham. “Last night, now slightly over two months after Heartbleed, we scanned again, and found 300,000 (309,197) still vulnerable. This is done by simply scanning on port 443, I haven't checked other ports.”
More worryingly, Graham believes that – with many administrators having stopped patching – the flaw could be around on web servers for decades to come.
“This indicates people have stopped even trying to patch. We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I expect to find thousands of systems, including critical ones, still vulnerable.”
CVE-2014-0160, otherwise known as Heartbleed, was revealed by Finnish firm Codenomicon and Google in a 7 April advisory but was believed to have been ‘in the wild' for two years before then.
The bug affects the OpenSSL cryptographic software library, and allows information that would usually be protected by SSL/TLS encryption to be stolen. As this encryption is most often used to offer online security and privacy for web, email (SMTP, POP and IMAP protocols), IMs (XMPP) and SSL VPNs, there is the possibility that hackers targeting compromised systems could capture user passwords, financial details, emails, and private documents.
By stealing website encryption keys, they could also impersonate administrators and eavesdrop on communications.
The flaw affects web servers using OpenSSL 1.0.1 to 1.0.1f. Web administrators should upgrade to OpenSSL 1.0.1g to patch the flaw. OpenSSL library is also used heavily in the Linux OS, and in some embedded systems.
Phil Cracknell, head of privacy and security services at Company 85, criticised the slow response to the vulnerability, but urged businesses to think ahead by working with their partners.
“We still have 300,000 vulnerable systems – shock horror. Why? Well in Oct 2008 when a massive RDP vulnerability was supposedly patched by Microsoft we find systems to this day being exploited by that very weakness. The same [goes] for Heartbleed – there will be vulnerable systems for years,” Cracknell told SCMagazineUK.com.
“The problem is that this is a weakness in OpenSSL – far more widespread than just a Microsoft platform.
“What we must do, because OpenSSL is in some critical systems around the world, is as a business, secure our supply chain – check all partners and companies we work with have patched this. As an individual, we need to check the sites that we use and find out if they are patched. In time, if people push for some proof that this has been done we might see a more realistic figure of remaining vulnerable systems.”
Andrew Rose, a security analyst at Forrester and former CISO in the legal sector, agreed that the figure was ‘depressing but not terribly surprising' and told SC that it showed that some companies ‘aren't plugged into the security grapevine'.
He found that particularly astonishing given that Heartbleed made front page news. “If they missed that it speaks of a disconnect between their personal and working lives,” said Rose.
SMEs, in particular, often prioritise functionality over security and Rose urged them to think more like a technology company, for they are probably already reliant on the Internet for ecommerce and operational processes.
“SMEs are the most likely [to be affected]. They've not made the leap yet.” This, he said, was often down to a lack of accountability between those working on IT.
Furthermore, Rose warned that the flaw could be found on the web servers of critical infrastructure like water and gas installations, and suggested that these patches may not happen overnight.
“(You're) not just going to sling a patch on it and walk away…that' s likely to break it,” said Rose, who said that critical infrastructure systems would need a full regression test, something which could result in ‘significant' down-time.