Security

More than 20,000 major sites remain vulnerable to Heartbleed

Heartbleed logos Global Panorama Flickr

While many of the top websites in the world have protected themselves from the Heartbleed security vulnerability, plenty of them still need work — as do several pieces of software from data center technology giant VMware.

Information-security company Sucuri inspected the 1 million Alexa-ranked most popular websites around and found that, while most are fixed, 20,320 remain vulnerable. Sucuri did not identify the sites still at risk.

“We were glad to see that the top 1,000 sites in the world were all properly patched and that just 0.53 percent of the top 10,000 still had issues,” Sucuri chief technology officer Daniel Cid wrote yesterday in a blog post. “However, as we went to less popular [and smaller] sites, the number of unpatched servers grew to 2 percent. That is not surprising, but we expected better.”

Sucuri and his colleagues might well have expected better because Heartbleed has received such attention from media outlets and disclosures from cloud providers like Heroku and Amazon Web Services, networking gear makers like Cisco and Juniper, and other vendors of the underlying infrastructure of the Internet.

Heartbleed arose inside a version of the open-source OpenSSL cryptographic software. Information sitting inside the memory of a server should be encrypted, but because of Heartbleed, an attacker could pull out a little bit of data.

In the past week, Sucuri discovered more than 48,000 attacks designed to take advantage of the Heartbleed flaw. “The bulk of them come from Amazon EC2 instances, likely set up to do these scans,” Cid wrote.

And just as websites are still awaiting patches, VMware, which provides software for running companies’ onsite data center infrastructure, still hasn’t fixed all of its services.