On Monday, 7 May, the OpenSSL Foundation announced that a vulnerability in its open source software had been discovered, putting millions of websites and their users in danger of cyber attack.

As the same time as announcing the vulnerability - which became known as the Heartbleed Bug - the Foundation issued a new version of OpenSSL which patched the security flaw.

All administrators were warned that it was vital to update their systems' software, as well as revoking old security certificates and issuing new ones.

One month on, and while most admins have heeded the warnings, some have not.

Security researcher Robert Graham has discovered over 300,000 systems which are still open to attack using the Heartbleed flaw.


Last month, when Graham carried out a similar scan of servers connected to the internet (on port 443), he found one million systems supporting the heartbeat feature which was at the centre of the Heartbleed flaw.

Of those just one third were patched, which isn't surprising as the Heartbleed flaw had just been revealed.

This week he found 1.5 million systems supporting heartbeat, but just 318,239 of the systems were now vulnerable. While there is a much bigger percentage of systems patched against this attack, there is still a significant proportion of systems still vulnerable.

Commenting on the change in figures, Graham said:

"This implies to me that the first response to the bug was to disable heartbeats, then later when people correctly patched the software, heartbeats were re-enabled. Note that only OpenSSL supports heartbeats, meaning that the vast majority of SSL-supporting servers are based on software other than OpenSSL."

Indeed Graham said he found 22 million systems on the internet which supported SSL, meaning that just 5% of them were relying on OpenSSL.

Adding in heartbleed

Another report from an Opera Software developer Yngve Pettersen reveals that rather than safeguarding their systems, some administrators have got things completely wrong and actually added the Heartbleed Bug to their systems by buying new servers.

"It is difficult to definitely say why this problem developed, but one possibility is that all the media attention led concerned system administrators into believing their system was unsecure [which] combined with administrative pressure and a need to 'do something' led them to upgrade an unaffected server to a newer but still buggy version ... not yet officially patched," he said, calling the new server "Heartbroken".

Pettersen suggests that at least 2,500 website administrators have made the mistake.