Heartbleed - 300,000 systems still not secure

Even a decade from now, critical systems could be vulnerable, claims security researcher

More than 300,000 systems are still not safe from the flawed OpenSSL code, better known as Heartbleed, according to security research firm Errata Security.

OpenSSL is an open-source security tool widely used to encrypt passwords when people log-in to a system. A flaw in the implementation of OpenSSL could allow the private key used in a Secure Sockets Layer (SSL) communication to be exposed. Attackers could then decrypt and read any secure data passed on the network link.

In April, the first reports of exploits of the tool emerged, and a patch was made available immediately so that systems would no longer be able to be exploited through the tool.

However, Errata Security researcher Robert Graham claimed that despite the number of systems being vulnerable having decreased significantly since the Heartbleed bug was announced, half of the systems that were vulnerable then, are still vulnerable today.

"We found 600,000 systems vulnerable when the Heartbleed vulnerability was announced. A month later, we found that half had been patched, and only 300,000 were vulnerable. Last night, about two months after Heartbleed, we scanned again and found 300,000 still vulnerable," he said in a blog post.

Graham believes that people may have stopped trying to patch their systems, meaning that the Heartbleed vulnerability could remain an issue in the years to come.

"Even a decade from now, I still expect to find thousands of systems, including critical ones, still vulnerable," he stated.

However, he hopes that there should be a decrease as older systems are slowly replaced.

In April, Computing questioned who was to blame for the Heartbleed bug, with the consensus being that many of the big companies that were using the OpenSSL code for their own benefit, weren't funding or helping to maintain and test the software.

In the aftermath of the Heartbleed crisis, technology firms including Google, Facebook and Amazon united in a bid to support ‘critical' open source projects.

Other companies involved in the ‘Core Infrastructure Initiative' are Cisco, Microsoft, IBM, Intel, Dell, VMware, Rackspace, Fujitsu, Qualcomm and NetApp.