Two months after the infamous Heartbleed bug was discovered, more than half of vulnerable servers remain unpatched. At least 300,000 servers remain vulnerable to the exploit per CNET.
Heartbleed, first discovered by a Google engineer, caused widespread panic and a huge round of server patching by companies worldwide. The security flaw impacts OpenSSL, an open-source software for encrypting information across the Web, and, if exploited, can leak private account log-in details and passwords. What made this bug different from others is its inherent nature within the OpenSSL framework, which is used by thousands of websites and left a large number of servers on the Web exposed.
Once Heartbleed was publicized, security researcher Robert David Graham from Errata Security found that roughly 600,000 servers were at risk to the security flaw. One month later, half of these servers had been patched and protected against Heartbleed, Graham said, and 318,239 were left exposed.
However, two months after Heartbleed wreaked havoc, 309,197 servers remain unprotected – a patch rate dropping from double to singer percentage digits as only 9,042 new servers were patched in the last month.
The security researcher says this stagnation means people have stopped trying to patch their systems, and there should be a “slow decrease” in the number of vulnerable systems as older systems are replaced. However, now that the top few thousand companies online have taken measures to protect themselves, it is unlikely that smaller firms that have not already done so will follow their example.
“Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable,” Graham says.
Account holders are encouraged to use McAfee’s free checker to find out if a website is vulnerable. It is also encouraged to use different passwords for each of your online accounts rather than sticking to the same one.