It's two months after the reveal of one of the biggest vulnerabilities in internet history, 'HeartBleed'. HeartBleed is one of the potential critical security vulnerabilities in OpenSSL has been discovered by an independent security firm Codenomicon along with Neel Mehta a Google Security engineer, that allows an attacker to read up to 64kilobytes of memory from the server running a vulnerable OpenSSL version.
Almost every website was vulnerable to HeartBleed, including tech giants sites, Google, Yahoo, Microsoft, Facebook, Twitter, Amazon, eBay, etc.. along with banking and financial institute sites, Government portals, and other security concerns organizations site.
Earlier about 600,000 systems were vulnerable to HeartBleed. On Saturday, Errata Security’s Robert Graham says that after two months of the vulnerability exposure, still, 300,000 were still vulnerable to HeartBleed. The scan was performed on 20th June and there were 309,197 systems still vulnerable, he added.
Graham says that is not a good sign, that people are not concerned about security, they even not trying to patch the vulnerability.
Graham added in a blog post-
“We should see a slow decrease over the next decade as older systems are slowly replaced,” “Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable.”If you are using OpenSSL on your business then it is recommended to patch the vulnerability. As HeartBleed is one of the critical vulnerabilities in the internet history, which can expose the inside data of your organization's system.
You can simply patch the HeartBleed by following the guidelines provided on the OpenSSL page. If you are still running vulnerable systems should update their encryption keys too, as they may have already been stolen.
You should mainly check for HeartBleed if you are hosting your site on shared hosting. As Shared hosting sites are comparatively cheaper than dedicated hosting and many of these systems are not created with security in mind - they are very cheap, meant for low-budget websites, and the hosting company doesn't care much about the data on them.