Hundreds of thousands of servers have been patched with fixes to patch the OpenSSL Heartbleed vulnerability in the past two months since the discovery of the vulnerability but still more than 300,000 servers – exactly 309,197 servers – remain vulnerable to the exploit, according to the security researchers at Errata Security.
Heartbleed bug, said to be the worst security flaw the internet has ever encountered, made headlines for most of April. Once the flaw was publicized, Robert David Graham, security researcher from Errata Security, revealed that around 600,000 systems were affected to the vulnerability in encryption standard OpenSSL.
A month later, Graham reported that nearly half of these servers were patched with remaining 318,239 left exposed. Last month, however, the patch rate has plummeted from double to single digit as only 9,042 servers have been patched, with 309,197 servers still vulnerable.
“This indicates people have stopped even trying to patch,” Graham said in a blog post. “We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable. I’ll scan again next month, then at the 6 month mark, and then yearly after that to track the progress.”
Graham will continue to keep track of OpenSSL upgrades, and check the progress of servers patched to fix Heartbleed. He suspected that several websites blocked his scans and added that “The numbers are a little strange. Last month, I found 28 million systems supporting SSL, but this month I found only 22 million. I suspect the reason is that this time, people detected my Heartbleed ‘attacks’ and automatically firewalled me before the scan completed.”
