Think Heartbleed is dead and done? Over 300,000 servers beg to differ

Heartbleed keyboard
Be still, my Heartbleed

May 7 marked one month since the public at large was made aware of the Heartbleed bug, but it's not time to celebrate mission accomplished quite yet.

Errata Security revealed that more than 300,000 web servers remain vulnerable to Heartbleed, the OpenSSL bug that took a nasty bite out of internet security early last month.

Cybersecurity researcher Robert Graham conducted a scan of internet port 443 in early April after Heartbleed started making headlines and discovered 600,000 systems were vulnerable to the bug at the time.

This week, that number has fallen to precisely 318,329, which should be cause for some celebration, right? Not so fast, Graham says, although there is a silver lining to be found among those dark clouds.

Beating hearts

The OpenSSL security software responsible for Heartbleed includes a built-in "heartbeat" feature, although only a million of the systems supporting this option were actually in use as of last month.

Flash-forward to this week, and Graham has discovered 1.5 million systems supporting "heartbeat," with all but the roughly 300,000 cited above having shored up their defenses by patching the bug.

"This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled," Graham elaborated in a blog post.

All told, the security expert found 28 million SSL-supported systems during his April scan, but the best news of all may be that the "vast majority" of those servers used software other than Heartbleed vulnerable OpenSSL in the first place.

  • Sit back and relax with our massive review of Sony's PS4!