4.4 percent of SSL enabled websites and 8.7 percent of Android apps with build-in SSL library are still vulnerable, even after 16 days of the initial disclosure, said Trustlook, a mobile security start-up in San Jose.
Trustlook warned that after large websites (Yahoo, Github and GoDaddy, etc) patched themselves, the attackers’ focus is shifting to smaller sites and mobile platform.
Heartbleed impacts services include web, file transfer, and email services. Take web services as an example, both Apache and Nginx use OpenSSL for secure connections, and they occupy 66 percent of the web server market.
Trustlook has analyzed Alexa’s top 1 million websites and over 120,000 apps from Google Play. Scan results of the Alexa top 1 million websites shows 451,470 websites have enabled SSL connections, and of them, 19,566 or 4.4 percent of websites are still vulnerable.
For mobile platforms, Android 4.1.1, which occupies 7 percent of Android market share, is vulnerable due to the OpenSSL version it used.
After scanning 120,000 apps from Google Play, 8.7 percent of them have been found vulnerable, which affects more than 150 million users.
Meanwhile, Tripwire expanded detection for Heartbleed.
“The initial response to Heartbleed has been focused on external scans and Web servers,” said Lamar Bailey, director of Tripwire’s Vulnerability and Exposure Research Team (VERT). “However, the long-term impact for most organizations is on their internal networks. This is where Heartbleed can affect a wide variety of servers, applications and operating systems.”
The list of potentially vulnerable internal assets includes mission-critical internal applications and SSL-enabled services. These include File Transfer Protocol (FTP), Internet Message Access Protocol (IMAP), Post Office Protocol version 3 (POP3), Extensible Messaging and Presence Protocol (XMPP), and Simple Mail Transfer Protocol (SMTP).
Tripwire said SecureScan provides free internal vulnerability scanning for up to 100 IP addresses and includes comprehensive detection rules.