Finding a software bug such as Heartbleed is the hard part. Pushing out the fix is relatively easy. But forcing people to update their machines? Total crapshoot.
Every couple of years, a mega-flaw is discovered in some key part of the Internet's infrastructure. Despite the attention those vulnerabilities get, consumers and small businesses are notorious for not applying security patches.
One of the most egregious examples is the Conficker worm, which exploited a programming flaw in Microsoft Windows. Nearly six years after it infected millions of PCs around the world and a fix was made, it's still infecting computers.
It was a different story in 2008, when security researcher Dan Kaminsky discovered a major flaw in the Domain Name System that tells computers how to find each other on the Internet. He worked in secret with the companies responsible for DNS to ensure that a fix was in place before he went public with the vulnerability. The hole was largely plugged.
This week's Heartbleed is also a huge deal because the security flaw, which could give hackers access to encrypted e-mails, banking information or passwords, affected as many as two-thirds of all active websites. That means a large number of people operating hundreds of millions of servers are required to apply the fix, which was made available on Monday, the same day the vulnerability was disclosed.
So what's the response so far? Encouraging.
Although it's hard to know how many sites are still vulnerable, John Pescatore, director of emerging security trends at the SANS Institute, said the industry has responded with appropriate speed to protect users. The former Gartner analyst bases his information on high-level contacts within large organizations.
There will likely be little effect on consumers because most large websites have fixed the problem, the result of researchers properly disclosing the vulnerability and the process working as intended, he said.
"Pretty much up and down the line, responsible disclosure has been followed," Pescatore said. "Obviously it's a serious vulnerability and government agencies and really well-funded bad guys have the ability to take advantage of this, but it's not that easy to take advantage of."