Wednesday, October 29, 2014

Disable Support for SSL 3.0 to Avoid POODLE Attack !!!

Believe everyone is aware about the latest POODLE (Padding Oracle on Downgraded Legacy Encryption) vulnerability that affects clients that are using SSL 3.0, this is considered bit more dangerous that Heartbleed bug that raised the alarm recently and most of the Organizations already started to disable SSL 3.0 support on their clients and applications. And today Microsoft team published an update to this issue in terms of Office 365 to notify customers with the newly available workaround to disable SSL3.0 support from IE Browser clients that connect to the service along with the deadline.

Extract from the Official Post: 

Starting on December 1, 2014, Office 365 will begin disabling support for SSL 3.0. This means that from December 1, 2014, all client/browser combinations will need to utilize TLS 1.0 or higher to connect to Office 365 services without issues. This may require certain client/browser combinations to be updated.

Although analysis of connections to Microsoft online services shows very few customers still use SSL 3.0, we are providing customers with advance notice of this change so they can update their impacted clients prior to us disabling SSL 3.0

A new Fix it was released today to disable SSL 3.0 support from IE browser and also we have reference to the updated Security advisory article "Microsoft Security Advisory 3009008" that outlines more on this vulnerability and steps to utilize GPO settings to get this change implemented Organization wide.

Review the Official Blog post here: Protecting you against the SSL 3.0 vulnerability

Also refer the latest ZDNet post covering some more discussion on the topic and also it explains how other browser clients are responding to this vulnerability

Google has said that it will remove SSL 3.0 support from all their client products over the next few months. The next version of Firefox (due November 25) will disable SSL 3.0 completely. In the meantime, Mozilla has created an SSL Version Control add-on to allow users to disable the feature.

Review here : Microsoft releases anti-POODLE Fix It

*Microsoft team is discontinuing the support for SSL 3.0 with Azure Storage by February 2015.

Microsoft Disabling SSL 3.0 in Azure Storage Next Month

No comments:

Post a Comment