Even after applying a Heartbleed patch, many websites are still vulnerable
Heartbleed received a ton of media attention, and for good reason -- the security flaw in OpenSSL caught the Internet with its collective pants down, which in turn prompted website owners, IT workers, and web admins to all go scrambling for a fix. Now that there's a patch available, are we once again safe? Not really, says AVG, According to AVG, thousands of popular websites need to update their servers to stay protected from a new vulnerability.
The new vulnerability, known as a CSS Injection, has left potentially tens of thousands of the web's most popular sites vulnerable to attack. AVG said it scanned the servers of 45,000 of the world's biggest websites based on their Alexa ratings and found that around half use OpenSSL encryption. Of the potentially vulnerable sites, 75 percent are still not protected, leaving around 17,000 open to attack.
On the plus side, it takes a complex effort on the part of a hacker to exploit the vulnerability, AVG says. The attacker must intercept the connection between a client and a server, both of which must be using the vulnerable version, and engage a man-in-the-middle attack. Once they've done that, the attacker can decrypt and modify the traffic that flows back and forth.
This is a bit of a self-serving warning AVG has issued, which says it built additional functionality into its Web TuneUp product that will inform users with a banner when they vist a site that could be at risk from a CSS Injection. AVG Web TuneUp (beta) is free for the time being, though it doesn't support Windows 8/8.1.