J

AKARTA: More than 300,000 servers remain vulnerable to the Heartbleed security hole, a month after the critical vulnerability bug was first revealed, a security researcher has said.

Security researcher Robert David Graham conducted a global internet scan and found that 1.5 million servers still support OpenSSL'€™s '€œheartbeat'€ feature that allows the bug. OpenSSL is an open-source version of Secure Socket Layer (SSL) protocol.

'€œIt'€™s been a month since the Heartbleed bug was announced, so I thought I'€™d rescan the internet (port 443) to see how many systems remain vulnerable,'€ Graham wrote in his report.

'€œWhereas my previous scan a month ago found 600,000 vulnerable systems, today'€™s scan found roughly 300,000 thousand systems (318,239 to be precise).'€

The number only includes confirmed cases. Other systems may have escaped Graham'€™s search due to spam blocking or unorthodox OpenSSL setups.

Major services like Google have already patched their servers, but smaller and less-secure services could still be harmed. Attackers could manipulate vulnerable servers and use Heartbleed to eavesdrop on communications, steal data or impersonate services and users.

The original flaw was detected last month. Sites affected include Gmail, YouTube, Facebook, Tumblr, Yahoo! and Dropbox.

Heartbleed is a security bug in OpenSSL'€™s cryptography library for implementing the Internet'€™s Transport Layer Security (TLS) protocol. The bug allows anyone on the Internet to read the memory of the systems protected by vulnerable versions of OpenSSL.

The bug exploits an OpenSSL feature called '€œheartbeat'€. When your computer makes a request, the heartbeat will normally only send back the amount of data your computer sent. When they are bugged, however, hackers can make a request to the server for data from the server'€™s memory beyond the total data of the initial request.