SA 3009008 to disable SSL 3.0 in MS IE

    Microsoft updated the SA 3009008 security notice with the release of the FixIt tool to automatically block the use of SSL 3.0 encryption protocol settings in Internet Explorer. The release is related to the vulnerability discovered two weeks ago, CVE-2014-3566 (aka POODLE). The vulnerability affects all supported versions of Windows, from the obsolete Windows 2003 Server SP2 to Windows 8 / 8.1 - RT 8.1. The Fixit tool can be downloaded from this link .

    Microsoft is announcing that SSL 3.0 will be disabled in the default configuration of Internet Explorer and across Microsoft online services over the coming months. We recommend customers migrate clients and services to more secure security protocols, such as TLS 1.0, TLS 1.1 or TLS 1.2.

    Vulnerability in SSL 3.0 Could Allow Information Disclosure

    Said vulnerability-2014-3566 CVE ( P adding O racle O n D owngraded L egacy E ncryption) does not belong to the normal vulnerabilities that are detected specifically in Microsoft products. It belongs to the type of so-called. “Industry-wide vulnerability” and is somewhat similar to the previously discovered very dangerous Heartbleed vulnerability . But in the case of POODLE, the situation is less critical.

    The vulnerability itself is that it allows cybercriminals to interfere with the process of establishing an SSL 3.0 connection between a client and a server and, in the future, intercept encrypted connection data, i.e., conduct an attack like Man-in-the-Middle. The vulnerability does not apply to digital certificates or their private keys that are stored on the server; therefore, re-issuance in the case of using this version of SSL is not required.

    Information on manually disabling the possibility of using this protocol in Windows can be found in the workaround section here .

    You can read more about the vulnerability in a detailed report by Google analysts.

    Fig. IE11 on Windows 8.1 x64 using optimal security settings. The option to use the SSL 3.0 encryption protocol is disabled by the system administrator settings. An automatic Fixit tool and workaround section instructions can also be used to disable it. At the same time, you must enable the use of the encryption protocols TLS 1.0, TLS 1.1, and TLS 1.2 .

    Microsoft plans in the near future to disable the option to use SSL 3.0 by default for all versions of Internet Explorer.

    be secure.

    Also popular now: