Saturday, June 21, 2014

300k vulnerable to Heartbleed two months later

When the Heartbleed vulnerability was announced, we found 600k systems vulnerable. A month later, we found that half had been patched, and only 300k were vulnerable. Last night, now slightly over two months after Heartbleed, we scanned again, and found 300k (309,197) still vulnerable. This is done by simply scanning on port 443, I haven't check other ports.

This indicates people have stopped even trying to patch. We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable. I'll scan again next month, then at the 6 month mark, and then yearly after that to track the progress.




10 comments:

  1. Are you trying to reach out to the owners of these websites using their domain contacts?

    ReplyDelete
  2. Of course I'm not reaching out to them. It would cause more problems than it would solve.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Oh Man! Thanks Robert for this warning and Stats.

    This is actually because of the Reader's behaviour we call "Nothing New". Majority of the Readers ignore the threats and updates because they think that 'It's nothing new', they already know about it and they even don't need patch for it,'bcoz its nothing new' :P

    ReplyDelete
  5. I realize that you don't want to create a hit list of vulnerable sites, but from a user's perspective I'd like to know at this point which site operators are not just negligent (ie taking up to a month to patch), but dangerously so (as you wrote, sites whose administrators "... have stopped even trying to patch").

    At what point (if ever) would you consider it fair to post a current version of this list?

    ReplyDelete
  6. What would be more interesting than just a blanket 300k number would be how this breaks down across segments that most users would care about: financial services, internet retail 500, etc. I would venture an (unsubstantiated) guess that most of the internet that a majority of people actually care about has been patched. If not, those sites should be called out immediately for being a danger to end users.

    ReplyDelete
  7. Robert, how many SSL-supporting servers did you catalog? Was it still around 22 million?

    ReplyDelete
  8. Who do I contact to have my IP's removed from your scans?

    ReplyDelete
  9. please keep sharing of knowledges with us.Thanks a lot for your great posting.
    Instant Annuity Rates

    ReplyDelete
  10. Iteresting - a 60-day half-life for patching, even with all the (often overwrought) publicity.

    ReplyDelete

Note: Only a member of this blog may post a comment.