Heartbleed vulnerability still affects 320k servers

A month on: Heartbleed not forgotten

Roughly 320,000 servers are still vulnerable to the Heartbleed OpenSSL bug a month after it was first revealed and caused panic in security circles.

The figure was discovered by Errata Security, which postulated that the number might even be higher, as some servers have firewalls in place, the scan was limited to port 443, and the ISP used to conduct the scan had significant traffic congestion.

When Heartbleed was publicly revealed last month, the number of vulnerable systems detected by Errata was 600,000.

In a heartbeat

The Heartbleed bug derives its name from the Heartbeat feature of OpenSSL, which contains an error that allowed unauthorised data to be accessed.

Errata detected one million systems with Heartbeat last month, only a third of which were patched. Now it detected 1.5 million, with 1.2 million of those patched. The increase in those using Heartbeat suggests this feature was initially disabled by many as a precautionary measure.

The bug was patched almost immediately by most top websites like Google and Facebook, but the fact that so many are still unpatched is a major cause for concern.

Perhaps the biggest issue with Heartbleed is that it existed for two years before anyone even knew about it. The delay in finding the bug was largely blamed on the lack of funding many open source projects like OpenSSL receive.