More than four weeks after the disclosure of the so-called Heartbleed bug found in a widely used cryptography package, slightly more or slightly less than half the systems affected by the catastrophic flaw remain vulnerable, according to two recently released estimates. A scan performed last month by Errata Security CEO Rob Graham found 615,268 servers that indicated they were vulnerable to attacks that could steal passwords, other types of login credentials, and even the extremely sensitive private encryption keys that allow attackers to impersonate websites or monitor encrypted traffic. On Thursday, the number stood at 318,239. Graham said his scans counted only servers running vulnerable versions of the OpenSSL crypto library that enabled the “Heartbeat” feature where the critical flaw resides.
Read the full story at Ars Technica, and the original findings at Errata Security.