Saturday, June 21, 2014

300k vulnerable to Heartbleed two months later

When the Heartbleed vulnerability was announced, we found 600k systems vulnerable. A month later, we found that half had been patched, and only 300k were vulnerable. Last night, now slightly over two months after Heartbleed, we scanned again, and found 300k (309,197) still vulnerable. This is done by simply scanning on port 443, I haven't check other ports.

This indicates people have stopped even trying to patch. We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable. I'll scan again next month, then at the 6 month mark, and then yearly after that to track the progress.




10 comments:

Alex said...

Are you trying to reach out to the owners of these websites using their domain contacts?

Robert Graham said...

Of course I'm not reaching out to them. It would cause more problems than it would solve.

Mohit Kumar said...
This comment has been removed by the author.
Mohit Kumar said...

Oh Man! Thanks Robert for this warning and Stats.

This is actually because of the Reader's behaviour we call "Nothing New". Majority of the Readers ignore the threats and updates because they think that 'It's nothing new', they already know about it and they even don't need patch for it,'bcoz its nothing new' :P

shortarabguy said...

I realize that you don't want to create a hit list of vulnerable sites, but from a user's perspective I'd like to know at this point which site operators are not just negligent (ie taking up to a month to patch), but dangerously so (as you wrote, sites whose administrators "... have stopped even trying to patch").

At what point (if ever) would you consider it fair to post a current version of this list?

Unknown said...

What would be more interesting than just a blanket 300k number would be how this breaks down across segments that most users would care about: financial services, internet retail 500, etc. I would venture an (unsubstantiated) guess that most of the internet that a majority of people actually care about has been patched. If not, those sites should be called out immediately for being a danger to end users.

MJS said...

Robert, how many SSL-supporting servers did you catalog? Was it still around 22 million?

Unknown said...

Who do I contact to have my IP's removed from your scans?

Unknown said...

please keep sharing of knowledges with us.Thanks a lot for your great posting.
Instant Annuity Rates

Dave said...

Iteresting - a 60-day half-life for patching, even with all the (often overwrought) publicity.