Heartbleed is two months old — but security researchers say it’s still a significant threat.
Writing at Errata Security, Robert Graham says his firm’s testing indicates there are still more than 300,000 servers running outdated software and still vulnerable to attack via Heartbleed.
Even a decade from now, says Graham, “I still expect to find thousands of systems, including critical ones, still vulnerable.”
The bug takes advantage of vulnerabilities in an old version of OpenSSL security software. Attackers can use it to extract bits of information from web servers — including encryption keys and passwords.
When the news broke in April, a flurry of stories explained how server operators would need to update their software and replace encryption certificates to secure themselves. (Via Mashable, Symantec, CloudFlare)
And users were in most cases told to wait for server admins to get on with it before they updated their passwords — since no changes would be secure until the underlying OpenSSL was.
The worry today is if a third of a million servers haven’t patched up by now, they never will.
“Sites with sub-par security standards [will] continue to leave themselves — and their users — exposed,” says The Verge. “The danger is particularly real now since the exploit has been widely publicized.”
Graham plans to update the Errata blog with a new vulnerability count next month, and again at the six-month milestone.