More than 132,000 web-facing SSL servers are running either Windows 2000 or Windows NT4, according to our March Secure Server Survey, representing nearly 45 percent of all SSL servers. The PCT and SSL 2.0 protocols targeted by the exploit are enabled by default in Win2K and NT4. As we noted last week, many SSL sites have a poor track record applying patches for known security holes, including those enabling a system compromise.

An earlier exploit, known as SSL Bomb, equipped attackers to launch a denial of service on SSL sites.