When the OpenSSL vulnerability Heartbleed broke cover in April, it felt like it was the only thing that mattered for an entire week. Like many news outlets, we reported on the bug from a number of different angles, and it was all for good reason: It's a severe bug, and one that the world needs to know about. Given all of the attention Heartbleed received, it'd be easy to assume that the vulnerability would now be hard to spot out in the wild - but no. Far from it, actually.
When we first learned of Heartbleed, it was estimated that at least half a million Web servers were vulnerable because of it. More importantly, the bug affected a large number of popular services, requiring users to change their passwords on Google, Yahoo!, Pinterest, Facebook, Instagram, and more.
Heartbleed in action
According to the researchers at Errata Security, which runs wide-ranging port scans to search for the bug, 318,239 servers were left vulnerable an entire month after Heartbleed was exposed. We would have hoped to see a far lower number, but here's where things get depressing: That number dipped to just 309,197 since then.
That means that not even half of the Heartbleed-affected servers have been patched up. If there's an upside to this, it's that the world's biggest Web services were all quick to patch themselves up. The downside is that we're not entirely sure which services these affected servers belong to.
What this really highlights to me is that many server admins out there simply don't care about keeping their infrastructure secure, which can't be called anything but "incompetent". As time goes on, Heartbleed's presence is sure to decrease, through a combination of people finally getting around to patching their servers, or simply upgrading them entirely, opting for a fresher software package. What's it going to take for server admins to begin really taking security seriously?