01.Android hit too
The Heartbleed bug is still far from being fixed months after it was revealed to be a security threat on up to two-thirds of the world’s websites. Even worse, the fix rate is slowing, according to researchers at Errata Security and the scope of the threat has widened to include some Android smartphones.
The security company reported on its blog that it found more than 600,000 systems vulnerable when the Heartbleed bug was revealed, but around half those were found to be patched a month later. Since then, however, the rate of patches has dropped.
Errata’s Robert Graham said on the blog this indicates that people had stopped even trying to patch. “We should see a slow decrease over the next decade as older systems are slowly replaced. Even a decade from now, though, I still expect to find thousands of systems, including critical ones, still vulnerable.”
The report is a warning to consumers to not be complacent about the Heartbleed threat, though many of the web’s most popular websites have been patched to fix the flaw.
The Heartbleed bug is a fault in the OpenSSL framework used by many web servers that could allow attacks to steal sensitive user information such as usernames and passwords. It was discovered in April, but is believed to have existed for the past couple of years.
Jelly Bean vulnerable
Meanwhile, Google has revealed in its blog that devices using Android 4.1.1 (Jelly Bean) are not immune to Heartbleed, though other Android versions are. June figures show this affects almost a third of Android devices. Google said patching information for Android 4.1.1 is being distributed to Android partners.
As reported in our previous coverage of Heartbleed there are steps that any user can take to help safeguard yourself against the Heartbleed bug including manually checking websites for the vulnerability, here. See our guide here.
- Users of Google’s Chrome web browser can also install a Heartbleed detector plugin called Chromebleed to warn of sites that may be vulnerable.
- Security software vendor Trend Micro has also released an Android plugin on the Google Play Store.
Firefox users can choose from two desktop browser plugins Foxbleed or Heartbleed-Ext. Note that all the Heartbleed detectors can identify a possible vulnerability only, but can’t fix the problem as this has to be done on the actual web server.
See the Heartbleed site for more general information.