Tripping Over Heartbleed’s Long Tail

The news about the dreadful Heartbleed OpenSSL vulnerability keeps pumping – almost a month since it first made headlines. But now that other, equally scary security news is stealing the headlines (like the nasty Internet Explorer vulnerability that was announced this week, Heartbleed is taking a back seat.

So where do things stand? I think its safe to say that we’re entering a phase that might be considered Heartbleed’s ‘long tail.’ On the one hand: there’s evidence of good news. The Register reported today that data collected by the firm Qualys suggests that almost all websites that were vulnerable to Heartbleed three weeks ago are now patched and no longer vulnerable.

The Register’s John Leyden quotes Ristic, the director of engineering at Qualys, putting the percent of web sites, globally, that are still vulnerable to Heartbleed at 1 percent. That’s great news – but I don’t think its the end of the story for Heartbleed. As I wrote here, history suggests that chasing down that final 1 % of sites vulnerable to Heartbleed will be much harder than it sounds. Like most widespread vulnerabilities –  will never fully disappear. Instead, it will become part of the background noise of the Internet: a persistent insecurity that, nevertheless, affects mostly the Internet’s poor, weak, vulnerable (and unmanaged).

For one thing: public facing web servers are only the beginning of the story for OpenSSL. The software also has a significant footprint within third-party applications. In just one example of that: Siemens this week announced patches for a number of industrial control applications that used vulnerable OpenSSL libraries. (PDF) They include the company’s eLAN Management Execution System (MES) software and WinCC HMI (human machine interface) management system software. This is the curse of third-party and recycled code that firms like Veracode have long warned about. In short: application shops often drop such open source components into their own creations without independently verifying their security. That’s especially true of widely used components like OpenSSL, which are presumed to have hundreds or thousands of eyes monitoring each commit. As we now know, that isn’t the case.

That can be a good thing. The BBC reported on Wednesday that cyber criminal groups have been among those that have been slow to patch their OpenSSL implementations. That has given anti malware researchers access to criminal forums that would otherwise be difficult to penetrate.

But the list of devices vulnerable to Heartbleed is long and diverse. It includes many embedded devices, from CCTV cameras to HVAC systems, James Lyne, the global head of security for the firm Sophos told the BBC.

“There is a very long tail of sites that are going to be vulnerable for a very long time,” Mr Lyne told the BBC.