More than four weeks after the disclosure of the so-called Heartbleed bug found in a widely used cryptography package, slightly more or slightly less than half the systems affected by the catastrophic flaw remain vulnerable, according to two recently released estimates.
A scan performed last month by Errata Security CEO Rob Graham found 615,268 servers that indicated they were vulnerable to attacks that could steal passwords, other types of login credentials, and even the extremely sensitive private encryption keys that allow attackers to impersonate websites or monitor encrypted traffic. On Thursday, the number stood at 318,239. Graham said his scans counted only servers running vulnerable versions of the OpenSSL crypto library that enabled the "Heartbeat" feature where the critical flaw resides.
A separate scan using slightly different metrics arrived at an estimate that slightly less than half of the servers believed to be vulnerable in the days immediately following the Heartbleed disclosure remain susceptible. Using a tool the researcher yngve called TLS Prober, he found that 5.36 percent of all servers were vulnerable to Heartbleed as of April 11, four days after Heartbleed came to light. In a blog post published Wednesday, he said 2.33 percent of servers remained vulnerable. It's important to remember the results don't include the number of Heartbleed-vulnerable servers providing services such a virtual private networks or e-mail.