It’s been more than two months since news broke of the Heartbleed vulnerability in OpenSSL one of the Internet’s most widely deployed cryptographic libraries. In the days and weeks that followed the emergence of the bug, which affected an unknown but arguably vast swath of the Web, vendors were quick to provide patches. However, new research suggests the zeal to fix the widely publicized bug may be waning.
Robert Graham, a security researcher and the owner of Errata Security, has been tracking the patch progress for Heartbleed since shortly after it emerged. Just days after Heartbleed became known, Graham performed a scan of port 443 traffic and found that 615,268 machines were vulnerable. A month after that, Graham performed a second scan of port 443 and found 318,239 machines vulnerable. On Saturday, he performed a third scan, finding that 309,197 machines remain vulnerable.
It’s important to note that the figures displayed by Graham’s scans do not reflect the entirety of all systems affected by Heartbleed. However, port 443 is a major thoroughfare for HTTPS traffic, which relies on SSL, so Graham’s findings likely reflect at least a partially representative sample of the broader reality regarding patch implementation for Heartbleed.
“This indicates people have stopped even trying to patch,” Graham wrote on his blog. “We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable.”
Graham plans to perform a scan again next month, then at six months, and once a year after that moving forward.
Heartbleed is a dangerous Internet-wide bug that can be exploited to steal sensitive information such as user credentials on unpatched systems, and also private encryption keys if the attack is replayed often enough.
Despite these findings, the makers of critical infrastructure and other software continue to patch Heartbleed in their products, which is a good thing considering that researchers are still finding new ways of exploiting it.