Two months after the Heartbleed bug was first announced, a group of security researchers has found that there are more than 300,000 servers that remain vulnerable.
According to researchers at Errata Security, the number of vulnerable systems has remained steady since a month ago, suggesting that people have stopped trying to patch.
Robert Graham, owner of Errata Security, said in a blog post on Saturday that he expects to see a slow decrease over the next decade as older systems are replaced. Despite this, he expects to find “thousands of systems, including critical ones, still vulnerable” over the next 10 years.
Errata Security began scanning the Internet (port 443) to see how many systems were vulnerable when Heartbleed was first announced. At the time, the scan found that there were 600,000 vulnerable systems, and by May, there were 318,239 systems still vulnerable.
In April, Graham found 28-million systems supporting SSL, but last month only found 22 million.
“I suspect the reason is that this time, people detected my Heartbleed ‘attacks’ and automatically firewalled me before the scan completed. Or, another problem is that I may have more traffic congestion at my ISP, which would reduce numbers,” Graham said.
In the aftermath of Heartbleed, people rushed to patch servers and employ easy security solutions. Spammers took advantage of this concern earlier this month with a false “Heartbleed removal tool” that actually installed malware on computers.
For web hosting providers and cloud providers, letting customers know that systems are protected and patched against Heartbleed can offer a bit of positive PR, even if the systems haven’t been vulnerable for some time. If customers are still concerned about the effects of Heartbleed enough to install fake removal tools, offering customers peace of mind could create a more trustworthy relationship.
Last month, Graham found 1.5 million systems supporting the heartbeat feature, with all but the 300,000 infected systems patched. He said that this implies there the first response to the bug was to disable heartbeats, and then after people correctly patched the software, heartbeats were re-enabled.
In order to prevent future attacks like Heartbleed, the Linux Foundation recently formed a multi-million dollar project to fund and support critical elements of the global information infrastructure.
Errata Security plans to scan again next month, then at the six month mark, and continue to scan yearly to keep track of progress.