Even with all the publicity surrounding the vulnerability, there are still almost 200,000 websites and connected systems that remain vulnerable to the ‘Heartbleed’ OpenSSL bug.
The Shodan Report 2017 found the remaining vulnerable sites based on scans conducted by the search engine that enables users to search the Internet for specific types of computers.
That means the vulnerable systems will remain open to a range of exploits that have been around almost since researchers uncovered the bug.
The U.S. leads the pack with 42,032 systems still vulnerable, according to Shodan, followed by South Korea with 15,380, China with 14,116, Germany with 14,072 and France with 8,702.
And the organizations hosting the most vulnerable systems include South Korea’s SK Broadband and Amazon.
On top of that, 75,000 of the vulnerable connected systems are using expired SSL certificates and running aging versions of Linux.
Heartbleed is a security flaw in the open-source OpenSSL cryptography library, used in implementations of the Transport Layer Security (TLS) protocol. The flaw ended up reported to OpenSSL developers on April 1, 2014, publicly disclosed on April 7, 2014, with a fix released the same day.
However, many organizations have been slow to patch their systems. Many may not even know the software they’re running uses the OpenSSL library. Other TLS implementations are not affected by the flaw.
Indeed, just months after the flaw ended up reported, Shodan found 300,000 systems remained vulnerable. That was in June 2014.
Shodan is a search engine that enables users to find specific types of devices connected to the Internet using a variety of filters.
Shodan launched in 2009 by computer programmer John Matherly who, in 2003, conceived the idea of a search engine that could search for devices linked to the Internet, as opposed to information.