Many vulnerable OpenSSL libraries in the wild?

Magnus,
 
I wished to react to the Netcraft's article posted under your name
regarding the high number of obsolete and thus vulnerable versions of
OpenSSL found on the Internet.
 
I tend to question the way the gathering of the data was done. It seems,
according to your article that you just used the Web server's signature.
 
Unfortunately this is not sufficient, and this for at least one reason:
the backporting of security fixes.
 
Many Linux distributions backport fixes, meaning that the version number
will not be increased while the vulnerability will be removed.
 
Taking two examples of two machines I have at hand, one running Debian
Woody one running Mandrake 9.1. These two machines are accessible on the
Internet.
 
jerome-AT-debian Woody> dpkg -l openssl
ii openssl 0.9.6c-2.woody.4 [...]
 
jerome-AT-mandrake 9.2> rpm -q openssl
openssl-0.9.7a-1.2.91mdk
 
Does that mean that mandrake 9.1 and Debian Woody are vulnerable? No (at
least to currently known vulnerabilities). But these 2 machines would
(and perhaps have been) counted in the results of the NetCraft survey.
 
The only way to find out whether a vulnerability is present or not is to
try to exploit it. That's what the people from NISC seems to be doing.
 
What I am afraid of is that this survey seems to create a false sense or
risk for solutions running on OpenSSL. Many of these solutions are open
source, and this article could be used as FUD against these systems.
 
So until a better way to identify whether these systems are indeed
vulnerable, I would be happy if Netcraft could publish an addendum to
that article, in order to decrease this perhaps false sense of risk that
this article generated.
 
See also the article on LWN for more discussions[2].
 
Cheers,
 
Jerome
 
[1] http://news.netcraft.com/[...]
[2] http://lwn.net/Articles/56713/
 
--
Jerome Lacoste - CoffeeBreaks - IT Consulting
jerome-AT-coffeebreaks.org - http://www.CoffeeBreaks.org