When security researchers unveiled the “Heartbleed” security bug in April, it kicked off a worldwide freak-out.
For years, the online world had operated on the assumption that OpenSSL was a secure protocol, trustworthy enough for people to use it for everything from email to financial transactions; thanks to Heartbleed, however, an attacker with a moderate level of programming knowledge could exploit a loophole to grab anything from passwords to encryption keys.
Following the announcement, developers around the world rushed to patch their systems. But according to a new blog posting from Errata Security’s Robert David Graham, who’s monitored that patching effort since Heartbleed was first announced, the rate of website fixes has steadily declined over the past few months. Earlier this year, it took four weeks for the number of known Heartbleed vulnerabilities to drop from 600,000 to 300,000 systems—but that number’s remained largely unchanged for the past two months, with at least 309,197 systems still open to attack.
Graham believes that people have simply stopped patching the vulnerability. “We should see a slow decrease over the next decade as older systems are slowly replaced,” he wrote. “Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable.” He’ll continue to check periodically over the next several months and years.
While many prominent companies rushed to patch the Heartbleed vulnerability soon after its announcement, it seems likely that thousands of smaller systems remain open to attack. Unfortunately, this might contribute to the rash of security breaches that have bedeviled commercial websites of late. For Web users, the only possible remedy is one that seems tiresomely familiar at this point: Keep changing your passwords on a regular basis, and monitor your online life for any signs of possible hacking.