Nearly 200,000 services still vulnerable to the Heartbleed bug have been found connected to the internet, but one...
expert says that may not be a big deal.
Researchers from Shodan found nearly 200,000 services around the world still connected to the web but not patched against Heartbleed. The plurality of those services are in the US (about 42,000) and most of the vulnerable services are running on the Linux 3.x kernel, according to Shodan's latest Heartbleed Report, post linked to by Shodan founder John Matherly.
The Heartbleed bug was originally discovered and patched in early 2014, but the OpenSSL flaw gained notoriety because of how widespread it was, how easily exploited and how difficult to patch in many cases -- and because it was one of the first branded vulnerabilities. Now it has become commonplace to compare any new SSL flaw to Heartbleed.
Graham Cluley, independent computer security expert, said system admins have had plenty of time to apply OpenSSL patches and remediate the Heartbleed bug, so he doesn't expect the situation to get better.
"In a year's time, we won't see any significant reduction in the number of Heartbleed vulnerable websites and services connected to the internet," Cluley wrote in a blog post. "This is as good as it's going to get. The people who cared about fixing their systems against the Heartbleed vulnerability did it long ago. The others simply don't give a damn."
Martijn Grooten, security researcher for Virus Bulletin, said the risks presented by the remaining vulnerable services may not be so bad.
Heartbleed is really bad, but exploits of it don't scale well, so 200k vulnerable services is mostly background noise https://t.co/JLFGo717Vl— Martijn Grooten (@martijn_grooten) January 23, 2017
Learn more about why the Heartbleed bug didn't harm open source.
Find out the problem with branded vulnerability marketing.
Get info on how Heartbleed led to the discovery of more OpenSSL flaws.