Errata On Heartbleed: Still 300k Vulnerable

Robert Graham of Errata Security recently wrote in a blog post that over 300,000 hosts are still vulnerable to the OpenSSL heartbleed bug and posited that people had stopped even trying to patch.

While disconcerting, I imagine that a significant portion of the ~300k reported are embedded systems and that sysadmins are likely aware of the issue but effectively have their hands tied until their vendors submit a patch. Given that many consumer devices like DSL CPE’s are seldom updated, and many ISPs make the mistake of leaving remote administration open without even applying basic security hygeine practices like IP filtering to only their internal networks, I assume that these problems won’t be solved any time soon. Heck, there are still routers affected by the d-link hardcoded administrative password vulnerability that remain accessible.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s