The Heartbleed bug is still prevalent among appliances and devices that rely on SSL despite almost a year passing since it was discovered, according to data collected by the security vendor Qualys.
An analysis of the most common vulnerabilities between November and January showed that SSL bugs accounted for four out of the top ten, with Heartbleed claiming last place despite the huge publicity around the bug.
"Over the last year Heartbleed was the most important problem," said Wolfgang Kandek, CTO at Qualys. "My feeling is that people are still focused on their web servers and things that they know about, and they are less attentive about applying that to other devices."
He added that device vendors may still be selling products vulnerable to the Heartbleed bug because the products had been shrink wrapped before the flaw was discovered, and not since patched.
He also noted that such items often did not have the automatic patching common to consumer products like smartphones, which was something the vendors should look into implementing.
"I don’t want to say it will never go away, but there’s certainly a lot of these devices," he said. "I think there are other issues but the Heartbleed one is the most visible. It’s the easiest to exploit; the tools are out there to do it."
Heartbleed was discovered lurking in the SSL security layer used to encrypt traffic between web servers and clients last April, with the flaw enabling hackers to perform man-in-the-middle (MitM) attacks, a form of electronic eavesdropping.
After it was publicly disclosed many web companies patched their servers and advised people to change their passwords, but the prevalence of the technology led many security experts to predict it would have a long legacy.
This article is from the CBROnline archive: some formatting and images may not be present.