It’s been a couple of months since Heartbleed was introduced to the world, one of the most critical OpenSSL vulnerabilities to ever impact people.
Upon learning the news, Errata Security ran a scan and discovered some 600,000 vulnerable systems. Two months later and the situation is still critical, as only half of these have been patched, which means that there are still 300,000 vulnerable systems out there.
The greater issue is that there was pretty much the same number of unpatched servers a month ago, which indicates that people have stopped even trying to patch their systems, which is bad news for the future. If patching has already stopped, merely two months after discovery, how many more such machines will be affected by the vulnerability five years from now?
Heartbleed was discovered by a Google engineer and drew a lot of attention at the time because of how much of the web was affected by it. The security impact of this kind of OpenSSL vulnerability is tremendous considering the fact that attacks that take advantage of Heartbleed leave no traces behind on the affected servers.
This means that no one has any kind of idea if the vulnerability was spotted beforehand and exploited and if so, how much information was subtracted.
Basically, any type of data passing through a targeted server at the time of the attack can be intercepted. While the bulk of it may be private conversations, there’s a chance for SSL keys to be put in, passwords to be typed in, as well as banking information and email addresses, as well as other data you wouldn’t want to share with anyone.
Since the vulnerability had been around for two years prior to being discovered, the panic was even greater and many questioned even whether the NSA knew anything about it and kept things secret, choosing to exploit it rather than warn everyone.
But Secunia Research, a company that deals with information security, says that things weren’t as critical as they appeared to be and rated Heartbleed with a 3 out of 5, with 5 being “extremely critical.”
“Going by the PR Heartbleed received, you would be excused for thinking that what we were dealing with here was, indeed, ‘extremely critical.’ But it was not, as vulnerabilities go. That rating we use for ‘remotely exploitable vulnerabilities that can lead to system compromise. Successful exploitation does not normally require any interaction and exploits are in the wild’,” recently said Secunia's Kasper Lingaard, director of security.
In fact, as a vulnerability, Heartbleed scores about as high as your average Denial of Service (DDos). What made it so big, however, was the fact that it affected OpenSSL, a library that is used by most applications to perform data encryption.