When the Heartbleed vulnerability was disclosed in April 2014, many organizations scrambled to patch the bug. However, even after a year, little progress has been made to complete remediation and remove the threat. As of April 2015, 74% of the Global 2000 with public-facing vulnerable systems are still vulnerable. That’s only a 2% improvement in 8 months, still leaving almost 3 in every 4 of these companies open to breach. Action remains needed and should be taken to find and replace affected private keys.
This was revealed by the Venafi Labs team which re-evaluated SSL/TLS vulnerabilities in Q1 2015 and found that most Global 2000 organizations have failed to completely re mediate Heartbleed — now a full year after the vulnerability was first publicly disclosed. This leaves these organizations vulnerable to cyber attacks, future brand damage, and intellectual property loss.
Heartbleed is a vulnerability in OpenSSL 1.0.1 through 1.0.1f (inclusive). This vulnerability allows an attacker to extract data that includes SSL/TLS keys for X.509 digital certificates from the target without hacking the environment or being detected. From the start, it was clear that Heartbleed was not just another “patch-it” event. It struck at the core of what creates online trust: SSL keys and certificates. If SSL keys and certificates could be compromised, websites could be spoofed for phishing attacks and encrypted communications decrypted via man-in-the-middle (MITM) tactics resulting in customer data loss and intellectual property theft.