180,000 servers still vulnerable to Heartbleed

Around 180,000 servers worldwide are still vulnerable to Heartbleed, the serious SSL vulnerability discovered in 2014.

A report from internet-connected device search engine Shodan shows that despite a fix being available for nearly two full years, as of 22 January there remained nearly 200,000 vulnerable servers, although this had declined to around 180,000 as of 30 January.

In Australia, there were 2596 vulnerable hosts at the time of the 22 January report. This compares to 42,032 hosts in the US — the top country for lingering Heartbleed vulnerabilities — but just 535 for New Zealand.

When Heartbleed was first publicised in April 2014, there were an estimated 600,000 vulnerable servers connected to the internet. This had fallen to around 250,000 at the start of 2015, but there remain around 180,000 vulnerable systems.

As of 22 January, the largest number of vulnerable servers were hosted on AWS, with ISPs and hosting companies making up the remainder of the top 10.

By far the majority of the vulnerable servers were running Linux, with just 90 servers on various versions of Windows and just 31 running either FreeBSD or OpenBSD.

While the fact that legacy security issues never truly fade away is well known, that such a high number of Heartbleed vulnerable servers remain active is notable given all the attention paid to the vulnerability in the security community and the media following its discovery.

Image courtesy of EFF Photos under CC