'Heartbroken' admins add to problem of myriad unpatched boxen
At least 2500 website administrators have made their previously secure sites vulnerable to Heartbleed more than a month after the bug sent the world into a hacker-fearing frenzy.
Opera Software developer Yngve Pettersen discovered the bungle while probing for Heartbleed vulnerable systems in the weeks after the bug was disclosed on April 7.
Heartbleed was a widespread input validation security vulnerability affecting the heartbeat extension used in OpenSSL which allowed passwords, sensitive private keys and session cookies to be potentially stolen. The bug was patched on the day of disclosure.
With his TLS Prober tool in hand, Petterson pinged half a million separate servers of sites rated as popular by Alexa and found hapless admins had, presumably in a panic, updated their then-unaffected-or-possibly-new boxes to the latest offering and in doing so introduced the Heartbleed bug.
He found about 20 per cent of scanned vulnerable servers and 32 per cent of those running F5 BigIP servers were new to the Heartbleed club as administrators had introduced the vulnerability.
The number of BigIP boxes coming online had doubled in the last month he said, indicating a run of purchases.
"It is difficult to definitely say why this problem developed, but one possibility is that all the media attention led concerned system administrators into believing their system was unsecure [which] combined with administrative pressure and a need to 'do something' led them to upgrade an unaffected server to a newer but still buggy version ... not yet officially patched," he said, dubbing the new fail boxes "Heartbroken".