Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over 300,000 Servers Remain Vulnerable To Heartbleed

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes Even though it's been a couple months since the Heartbleed bug was discovered, many servers remain unpatched and vulnerable. "Two months ago, security experts and web users panicked when a Google engineer discovered a major bug — known as Heartbleed — that put over a million web servers at risk. The bug doesn't make the news much anymore, but that doesn't mean the problem's solved. Security researcher Robert David Graham has found that at least 309,197 servers are still vulnerable to the exploit. Immediately after the announcement, Graham found some 600,000 servers were exposed by Heartbleed. One month after the bug was announced, that number dropped down to 318,239. In the past month, however, only 9,042 of those servers have been patched to block Heartbleed. That's cause for concern, because it means that smaller sites aren't making the effort to implement a fix."

11 of 74 comments (clear)

  1. Better Career Path by Austrian+Anarchy · · Score: 4, Funny

    If those servers would have studied engineering instead of history, they probably would not be servers and not be suffering from broken hearts.

    --
    Time Bomber the Book coming soon.
    1. Re:Better Career Path by plover · · Score: 3, Funny

      You bleeding heart liberals never know when to change.

      --
      John
    2. Re:Better Career Path by jellomizer · · Score: 3, Insightful

      300,000 seems like a small number, if you stop and consider how many sub amateurs setup web servers.
      You were told that Linux is very secure and you don't have to worry about hacks and viruses. You installed your favorite distribution, and got what ever web stuff you wanted and then you left the server running ranking up Uptime and not touching the server ever again. Heck I am willing to bet for some of these systems the Hard Drive failed years ago, and they are running off of ram alone.
      Web Page still works, everything is A-OK.

      --
      If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  2. Hosting? by houstonbofh · · Score: 4, Insightful

    I wonder how many of these are dirt cheap hosting servers, and no one who should care even knows the hosting company is asleep at the switch...

  3. Let's put teenagers in jails by Jorge666 · · Score: 3, Insightful

    Why would someone patch the web server?
    We don't like smart and taking initiative teenagers, here in the USA

    1. Teenager sends email to administrators advising them about unpatched server.
    2. SWAT raids the home of the kid.
    3. DA sends the kid to private jail for life and announces running for another term.
    4. ?
    5. Profit or reality of life in the USA

  4. Re:and yet cryptocurrencies remain immune...! by plover · · Score: 4, Insightful

    You've packed a lot of wrong into such a short post. If a system is insecure a "good" architecture is irrelevant - you're still screwed. And either way, neither architecture nor cryptocurrencies have anything to do with this problem, which is unpatched OpenSSL.

    --
    John
  5. Online wallet by tepples · · Score: 2

    Bitcoin itself is not vulnerable, as I understand it. But an online wallet using HTTPS with certain heartbeat-enabled TLS stacks may be vulnerable.

  6. As expected by Virtucon · · Score: 2

    Only 50% found it critical enough to deal with the problem quickly. The rest either have embedded systems or dependencies that are preventing them from upgrading or they aren't savvy enough to know that they're system is vulnerable. For example systems on Ubuntu 13.04 didn't get the heartbleed fix because 13.04 is at end of support, necessitating to first upgrade to 13.10 before getting the fix. You can of course roll your own and build it yourself etc. but most organizations aren't going to do that. There's also that small percentage that will never upgrade no matter what because they're is some other reason not to, org blow back or systems are near end of life for example.

    --
    Harrison's Postulate - "For every action there is an equal and opposite criticism"
    1. Re:As expected by Ingenium13 · · Score: 5, Informative

      13.04 wasn't an LTS release. LTS releases come out every 2 years and are supported for 5 years (12.04, 14.04, etc). The non-LTS releases can be thought of as betas for the LTS releases.

  7. Re:and yet cryptocurrencies remain immune...! by tysonedwards · · Score: 4, Informative

    Bitcoin used a vulnerable version of OpenSSL and required an update to Bitcoin Core to stop it from revealing the contents of it's memory to a remote attacker. That is why 0.9.1 came out in such short order after the disclosure of the Heartbleed vulnerability. See the Bitcoin Foundation's website: Heartbleed

    --
    Thirty four characters live here.
  8. Re:Certificate renewal by Torp · · Score: 2

    LOL. Most certificate authorities are just saying 'here's what this guy told us his name is'. Basically worthless.
    But it's nice to have a near monopoly service that's no better than a self signed certificate.

    --
    I apologize for the lack of a signature.