Wednesday 15 October 2014

new security vulnerability called POODLE

There Is a New Security Vulnerability Named POODLE, and It Is Not Cute: http://www.wired.com/2014/10/poodle-explained/

https://supportforums.cisco.com/discussion/12326341/sslv3-poodle-vulnerability

http://www.zdnet.com/google-reveals-major-flaw-in-outdated-but-widely-used-ssl-protocol-7000034677/


POODLE affects SSLv3 or version 3 of the Secure Sockets Layer protocol, which is used to encrypt traffic between a browser and a web site or between a user’s email client and mail server. It’s not as serious as the recent Heartbleed and Shellshock vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.

According to the team's Bodo Möller: "This vulnerability allows the plaintext of secure connections to be calculated by a network attacker."

This is a client security hole. This is a vulnerability in the old SSLv3 (relaying in 80's code), but even if you have all set for using TLS, in many applications the server can trick you to downgrade to SSL and then it can stole you some security cookies.

This vulnerability is a risk in public wifi but not at home or work.



------------------

Mozilla says that it is making Firefox 34 safe from POODLE by disabling SSL 3.0 by default. The code which does this is already baked into the Nightly channel, and will make its way to the Aurora and Beta channels also "in the next few weeks".

----------
MicroSoft Advisory and Workarounds:

https://technet.microsoft.com/en-us/library/security/3009008.aspx
This workaround involves Group Policy Editor. For those using versions of Windows that don't include GPE simply go to Control Panel/Internet Options/Advanced/Security and uncheck the box for SSL 3.0 (SSL 2.0 should already be unchecked).