Just three percent of machines have full protection against the OpenSSL vulnerability known as Heartbleed, according to a study of the public-facing web servers run by some of the world’s largest firms.
The research, carried out by security specialists at Venafi Labs, examined 550,000 servers belonging to 1,639 companies on the Forbes top Global 2000 list, and showed 99 percent of the companies checked patched the data-leaking Heartbleed flaw.
Venafi said only 15,000 of the patched servers changed their private keys, and as well as issuing new SSL certificates and having the old ones revoked. Given that Heartbleed can end up exploited to grab private keys out of a vulnerable computer’s memory, a user should assume the server keys and certifications suffered compromise.
Kevin Bocek, vice president of security strategy and threat intelligence at Venafi said the OpenSSL flaw was exploitable for two years before it became public in April. During that time passwords were retrievable by those capable of exploiting the flaw, but so were encryption keys and certification data used to masquerade as corporate servers.
Bocek said the situation was even worse in servers not public facing, and in many cases servers residing inside corporate firewalls did not undergo patching against the Heartbleed flaw.
In terms of the types of business that fully patched against Heartbleed, the computer services sector performed best, ahead of broadcasting firms, banks, and the semiconductor industry