In light of COVID-19 precaution measures, we remind that all ImmuniWeb products can be easily configured and safely paid online without any human contact or paperwork.

Total Tests:
This Week:
Today:
Stay in Touch

Weekly newsletter on AI, Application Security & Cybercrime


Your data will stay confidential Private and Confidential

Thousands of UK sites haven’t patched serious Heartbleed SSL bug

Thursday, January 26, 2017 By Read Time: 2 min.

New figures show vast numbers of websites are still vulnerable to the venerable Heartbleed bug


Thousands of UK sites haven’t patched serious Heartbleed SSL bug

An enormous number of sites - nearly 200,000 - across the globe have not yet patched the severe and well-documented Heartbleed vulnerability in OpenSSL.

According to the Shodan report 2017 the UK alone has some 6,491 vulnerable systems and servers still live, although the UK is far from the worst offender at number seven in the table, with the US romping away with 42,032 systems still vulnerable, followed by South Korea with 15,380, China with 14,116, Germany with 14,072 and France with 8,702.

Thousands of UK sites haven’t patched serious Heartbleed SSL bug

Heartbleed was reported to the OpenSSL developers on 1 April 2014, and publicly disclosed on 7 April 2014 - a fix was released the same day. The flaw in the widely-used open-source OpenSSL cryptography library caused considerable concern at the time, due to the potential to read the memory of any systems protected by vulnerable versions. If you’re not sure if your business has patched it yet, use this free SSL security test to find out for sure. Out of the 100 point scoring system, vulnerability to Heartbleed is a minus 70 points, the most serious single vulnerability.

Ilia Kolochenko, High-Tech Bridge CEO said: “Taking into consideration high severity and big age of the vulnerability, I think unpatched systems are mainly represented by various network devices and forgotten servers. Such shadow systems represent a huge risk for companies, as nobody is aware of their existence and nobody cares to keep them secure. Attackers are always looking for an easy way to get in, and a forgotten device in external IT perimeter of a company can be a great gift them. Cybercriminals are looking for such systems to compromise them and turn into DDoS or spam zombies. The situation is aggravated with embedded IoT devices – that are often abandoned with a set of critical flaws exploitable from the Internet that nobody bothers to patch. Comprehensive inventory of digital assets and continuous security monitoring are vital to keep corporate infrastructure secure and avoid such dangerous situations.

Of course, it is likely that many organisations will simply not be aware that they are running software that uses an outdated version of the OpenSSL library, which must account for some of these figures - in the last 12 months, 58.7 per cent of web servers tested on High-Tech Bridge’s free SSL test were not PCI DSS compliant:

Thousands of UK sites haven’t patched serious Heartbleed SSL bug

The Shodan report found that the organisations hosting the most vulnerable systems include South Korea's SK Broadband, Amazon, Verizon and Comcast. Approximately 75,000 of the vulnerable connected systems are using expired SSL certificates and running ageing versions of Linux. Unfortunately, the report uncovers extremely slow progress in patching the flaw among these most egregious offenders - the same report in June 2014 just two months after disclosure found 300,000 systems were vulnerable, so it seems only a third have taken action to rectify the issue in the intervening two-and-a-half years...

There have been a variety of efforts to improve upon the almost two-decade-old OpenSSL software library’s implementation of TLS encryption, most coming after the discovery of Heartbleed. Stripped down competitors include LibreSSL, a fork maintained by the group behind the OpenBSD operating system, BoringSSL, a version designed for Google projects (Android 6.0 and above and Chrome use BoringSSL), and more recently BearSSL. BearSSL is designed for high-performance implementations such as in IoT platforms where small size and efficiency are key.

However, research from High-Tech Bridge from the first half of 2016 found that in fact only 0.43 per cent of websites tested were vulnerable to Heartbleed, but an enormous 23 per cent were still vulnerable to POODLE, or "Padding Oracle On Downgraded Legacy Encryption".


Mark Mayne has covered the security industry for more than 15 years, editing news for SC Magazine and editing SecurityVibes UK. Mark has a background in national news journalism and tech reporting, and has run b2b and b2c editorial sites.

User Comments
Add Comment

Ask a Question