According to Venafi, more than half of the companies on the Forbes Global 2000 list are still vulnerable to the Heartbleed flaw. This follows the recent data breach at Community Health System which exposed over 4.5 million patients’ personal details, which was reportedly down to the OpenSSL flaw.
Richard Cassidy, senior security architect, Alert Logic explained why Heartbleed is still an issue 6 months on. “We know from our own research at Alert Logic that many threats exist across customer networks long before they are detected or more importantly, remediated. Heartbleed technically has been exploitable since OpenSSL 1.0.1 was widely adopted back in March of 2012 and if we look at many other threats including the recent theory that BlockPOS malware that’s wreaked havoc across ePOS networks, we know that these exploits were long “exploitable” before the industry was even made aware them.”
TK Keanini, CTO Lancope, explained that the onus is on the vendors to fix this problem – not the user. “The vulnerable version of the OpenSSL library has been widely used in all types of applications – some of which may be embedded systems (like the Internet of Things) and the discovery and remediation can only take place by the vendor as the end user has no access to source code or the means to replace the library themselves. These vendors are not performing security related testing, and thus it will take a long time before they are made aware of the flaw and it will be at the expense of many exploited system.”
Amichai Shulman, CTO, Imperva however, questioned the severity of the Heartbleed vulnerability, suggesting this might just be a media hype. “While I do not necessarily want to belittle the importance of the “Heartbleed” vulnerability, it does seem odd to me that the only incident directly related to this vulnerability is the recent Community Health breach. This is especially intriguing given the claim by Venafy (below) that so many “Internet devices” remain vulnerable. It just does not add up. I’ve said it in the past with respect to Heartbleed and I’ll say it again now – we have seen vulnerabilities who received far less media attention than Heartbleed being successfully and massively exploited in the wild.”
However Michal Sutton, VP security research at Zscaler, warned that this will not be the last we hear of Heartbleed. “With an impact the size of Heartbleed, we can be sure that vulnerable machines will be discovered for years to come.”