Euro Security Watch with Mathew J. Schwartz

Endpoint Security , Governance & Risk Management , Next-Generation Technologies & Secure Development

Heartbleed Lingers: Nearly 180,000 Servers Still Vulnerable

Shodan Scans Show How Bug Isn't Burning Out - Just Fading Away
Heartbleed Lingers: Nearly 180,000 Servers Still Vulnerable
Shodan scans counting vulnerable servers show the Heartbleed bug has not been eradicated.

Nearly three years after it was discovered, Heartbleed lingers on.

See Also: The External Attack Surface Is Growing and Represents a Consistent Vulnerability

A report from Shodan, a search engine for internet-connected devices, says that a Jan. 22 search identified 199,594 internet-connected devices that still remain vulnerable to the Heartbleed bug.

Heartbleed is the nickname for a vulnerability in OpenSSL, an open-source implementation of the SSL and TLS protocols that's used to secure data sent between clients and servers. The bug was jointly discovered by security firm Codenomicon and Google and publicly detailed in 2014, when related patches and fixes released.

Since the bug was first publicized on April 7, 2014, multiple researchers - including Robert David Graham, who heads research firm Errata Security - have been scanning the internet to count how many internet-connected servers that respond with a valid SSL connection appear to be vulnerable to Heartbleed. Here's what ongoing scans have found:

  • April 2014: As of April 9, 2014, Graham reported finding an estimated 600,000 Heartbleed-vulnerable servers connected to the internet.
  • May 2014: One month later, Graham reported finding about 320,000 servers that were still vulnerable to Heartbleed.
  • January 2015: Graham's scans found 250,000 servers and other systems that connect to the internet that were still vulnerable to Heartbleed.
  • May 2016: Security researcher Billy Rios told me that he'd found about 200,000 vulnerable servers (see Heartbleed Update: America the Vulnerable).
  • Jan. 30, 2017: The most recent Shodan search reported that the number of Heartbleed-vulnerable devices had dropped to about 180,000, meaning that about 20,000 were apparently remediated after the Jan. 22 Shodan report came out.

The story of how Heartbleed is - or isn't - going away is easy to see: After a flurry of emergency fixes following the April 2014 Heartbleed heads-up, related patching efforts appear to have died down.

The Long Tail Lingers

Desktop OS market share, Dec. 2016. (Source: NetMarketShare.)

The fact that old bugs never burn out - they just fade away - isn't news to security researchers. According to market researcher NetMarketShare, for example, 9 percent of all desktops still run the Windows XP operating system, which Microsoft stopped supporting in 2014 (see London Police Busted For Windows XP Possession).

In the case of Heartbleed, no doubt attrition - old servers being replaced - has led to a partial decline in vulnerabilities. But a lot of the Heartbleed-vulnerable servers appear to be hosted at Amazon Web Services. I reached out to AWS to see if they could explain why, but haven't heard back yet.

The domains where Heartbleed-vulnerable servers are most found (source: Shodan).

The big-picture results, however, are a reminder that vulnerable or outdated - and thus increasingly hard to secure systems - don't die out overnight, but rather fade away asymptotically, their numbers slowly arcing toward zero but never quite reaching it.

Or as Alan Woodward, a professor of computer science at the University of Surrey in England, puts it: "Legacy security issues go on and on and on and on."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.