Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security Bug

Over 300,000 Servers Remain Vulnerable To Heartbleed 74

An anonymous reader writes Even though it's been a couple months since the Heartbleed bug was discovered, many servers remain unpatched and vulnerable. "Two months ago, security experts and web users panicked when a Google engineer discovered a major bug — known as Heartbleed — that put over a million web servers at risk. The bug doesn't make the news much anymore, but that doesn't mean the problem's solved. Security researcher Robert David Graham has found that at least 309,197 servers are still vulnerable to the exploit. Immediately after the announcement, Graham found some 600,000 servers were exposed by Heartbleed. One month after the bug was announced, that number dropped down to 318,239. In the past month, however, only 9,042 of those servers have been patched to block Heartbleed. That's cause for concern, because it means that smaller sites aren't making the effort to implement a fix."
This discussion has been archived. No new comments can be posted.

Over 300,000 Servers Remain Vulnerable To Heartbleed

Comments Filter:
  • by Austrian Anarchy ( 3010653 ) on Sunday June 22, 2014 @03:08PM (#47294361) Homepage Journal
    If those servers would have studied engineering instead of history, they probably would not be servers and not be suffering from broken hearts.
    • by plover ( 150551 ) on Sunday June 22, 2014 @03:10PM (#47294371) Homepage Journal

      You bleeding heart liberals never know when to change.

    • by jellomizer ( 103300 ) on Monday June 23, 2014 @08:54AM (#47297495)

      300,000 seems like a small number, if you stop and consider how many sub amateurs setup web servers.
      You were told that Linux is very secure and you don't have to worry about hacks and viruses. You installed your favorite distribution, and got what ever web stuff you wanted and then you left the server running ranking up Uptime and not touching the server ever again. Heck I am willing to bet for some of these systems the Hard Drive failed years ago, and they are running off of ram alone.
      Web Page still works, everything is A-OK.

  • Hosting? (Score:5, Insightful)

    by houstonbofh ( 602064 ) on Sunday June 22, 2014 @03:10PM (#47294369)
    I wonder how many of these are dirt cheap hosting servers, and no one who should care even knows the hosting company is asleep at the switch...
    • by Anonymous Coward

      Maybe some of them are patched but nobody restarted apache/nginx/lighttpd/whatever so they still use old and vulnerable openssl version

  • This is to be expected, the only organizations that were going to aggressively patch HB were going to be the googles, the microsofts, the ones with millions of assets and awareness of how much damage that it can cause. The ones that aren't going to patch are going to be your Bob and Joe's Bait Shop with the inexplicable online shop that's being managed by their nephew whenever he's in town from college, if he knows to.
    • who does not want to pay the X3 rate to get some out there now to fix it and will just wait for the next visit in there plan with there Outsourced IT plan.

    • by tlhIngan ( 30335 )

      This is to be expected, the only organizations that were going to aggressively patch HB were going to be the googles, the microsofts, the ones with millions of assets and awareness of how much damage that it can cause. The ones that aren't going to patch are going to be your Bob and Joe's Bait Shop with the inexplicable online shop that's being managed by their nephew whenever he's in town from college, if he knows to.

      Or the "smart" software developer who sees Apples and Googles and Microsfots charging 30%

  • by Anonymous Coward

    This is why at different websites, you need different passwords. This way, it minimizes damage when it's not patched.

    Just watch the video at http://www.komonews.com/news/consumer/Getting-passwords-under-control-261725121.html

    A more secure password has at least nine characters and has a combination of letters, numbers, and symbols. You can use a core password that's easy to remember, then put characters ahead of it and after it to vary it for different websites. So, for example, your core could be B@seball9,

  • by Jorge666 ( 3709467 ) on Sunday June 22, 2014 @03:20PM (#47294403)

    Why would someone patch the web server?
    We don't like smart and taking initiative teenagers, here in the USA

    1. Teenager sends email to administrators advising them about unpatched server.
    2. SWAT raids the home of the kid.
    3. DA sends the kid to private jail for life and announces running for another term.
    4. ?
    5. Profit or reality of life in the USA

  • most servers on the internet don't do anything important. this is sensationalist tripe.

  • by Virtucon ( 127420 ) on Sunday June 22, 2014 @04:56PM (#47294741)

    Only 50% found it critical enough to deal with the problem quickly. The rest either have embedded systems or dependencies that are preventing them from upgrading or they aren't savvy enough to know that they're system is vulnerable. For example systems on Ubuntu 13.04 didn't get the heartbleed fix because 13.04 is at end of support, necessitating to first upgrade to 13.10 before getting the fix. You can of course roll your own and build it yourself etc. but most organizations aren't going to do that. There's also that small percentage that will never upgrade no matter what because they're is some other reason not to, org blow back or systems are near end of life for example.

  • There are servers out there still broadcasting the "code red" worm...

  • Certificate Authorities (CA) could help here: if a secured server was mandatory to get certificate renewal, things would be cleaned up.

    Problem is: each CA has no interest into doing this extra work, and no central authority can force them to do so. Major browsers could push them, though, by telling users that some CA are more trustable than others.

    • by Torp ( 199297 )

      LOL. Most certificate authorities are just saying 'here's what this guy told us his name is'. Basically worthless.
      But it's nice to have a near monopoly service that's no better than a self signed certificate.

    • by jandrese ( 485 )
      Certificates are renewed on multi-year timeframes. We're talking about 2 months here, relatively few of the websites in question would have needed to re-up their certs.
  • How critical is the bug for the particular server? That will vary. For example, my little mail server is running CentOS 4, and does not have the HeartBeat "enhancement" because the updates to that particular distribution stopped before that little throb was introduced. (Sometimes is pays to stay away from the "bleeding edge" of progress!) Yes, it's time to upgrade, but I'm taking my time and doing it slow, because I want to use CentOS 7 when it's released. I'm replacing hardware, too, and I'm testing

"The great question... which I have not been able to answer... is, `What does woman want?'" -- Sigmund Freud

Working...