Heartbleed is the gift that keeps on giving as servers remain unpatched

Within four days of the first public reports of a major flaw in OpenSSL's software for securing communications on the Internet, mass attacks searched for and targeted vulnerable servers.

In a report released this week, IBM found that while the attacks have died down, approximately half of the original 500,000 potentially vulnerable servers remain unpatched, leaving businesses at continuing risk of the Heartbleed flaw. On average, the company currently sees 7,000 daily attacks against its customers, down from a high of 300,000 attacks in a single 24-hour period in April, according to the report based on data from the company's Managed Security Services division.

"Despite the initial rush to patch systems, approximately 50 percent of potentially vulnerable servers have been left unpatched—making Heartbleed an ongoing, critical threat," the report stated.

The Heartbleed flaw, disclosed on April 9, allows attackers to request 64KB of the most current data from an affected server that uses OpenSSL. In many cases, the data could be nonsensical digital garbage, but in others, an attacker could mine cryptographic keys and passwords by exploiting the flaw.

That's just what attackers began to do on April 11, hitting hundreds of IBM's clients with 200,000 daily attacks. By April 15, attack events peaked at 300,000 and then quickly dropped off. Ten days after the initial wave of attacks, the number of events had dropped to the thousands.

The Heartbleed vulnerability has highlighted a number of problems with how companies and the security community address software security problems, IBM stated. While Heartbleed is considered one of the most critical bugs impacting the Internet in 2014, a common measure of vulnerability severity—the Common Vulnerability Scoring System, or CVSS—only rated the issue a 5.0, or "medium," threat.

In addition, companies that had incident response plans prepared and closely managed their information-technology assets were able to patch quickly. Without both, responding to Heartbleed took much longer, IBM stated in the report.

Finally, as attackers had less success with Heartbleed, they switched to other exploits. IBM argued that other open source packages may become the next target.

"While the initial impact of Heartbleed is waning, a second wave of new vulnerabilities found within open-source and reusable software merits further discussion," the report stated.