Microsoft Security Advisory 3009008

ronjor · Oct 15, 2014

Vulnerability in SSL 3.0 Could Allow Information Disclosure

Published: October 14, 2014

Version: 1.0

Executive Summary

Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.
Click to expand...

https://technet.microsoft.com/library/security/3009008

ronjor · Oct 29, 2014

Microsoft Security Advisory
- Title: Vulnerability in SSL 3.0 Could Allow Information
Disclosure
- https://technet.microsoft.com/library/security/3009008
- Revision Note: V2.0 (October 29, 2014): Revised advisory to
announce the deprecation of SSL 3.0, to clarify the workaround
instructions for disabling SSL 3.0 on Windows servers and on
Windows clients, and to announce the availability of a Microsoft
Fix it solution for Internet Explorer. For more information see
Knowledge Base Article 3009008.
Click to expand...

https://technet.microsoft.com/library/security/3009008

xxJackxx · Oct 29, 2014

I looked at this fixit but it wouldn't run. I tried the registry edit but it doesn't appear to do anything. The box for SSL 3.0 was already unchecked so I don't know if this was intended to do anything beyond that. The checkbox is still there and available...

anon · Oct 29, 2014

POODLE Test:
https://www.ssllabs.com/ssltest/viewMyClient.html
https://zmap.io/sslv3/
https://www.poodletest.com/

https://scotthelme.co.uk/sslv3-goes-to-the-dogs-poodle-kills-off-protocol/

siljaline · Oct 29, 2014

MS FixIt available at:
https://support.microsoft.com/kb/3009008

siljaline · Oct 30, 2014

Folks should be aware that:

This advisory provides guidance for customers so that they can disable SSL 3.0 in the browser. Customers should be aware that once they disable SSL 3.0, if they visit a website that supports only SSL 3.0 and does not support newer encryption protocols, they will receive a connection error message and will not be able to connect to that website.
Click to expand...

Thanks for not telling us that in the first place - MS.

http://blogs.technet.com/b/msrc/archive/2014/10/29/security-advisory-3009008-released.aspx

siljaline · Oct 30, 2014

Some key points are summarized by the Reg Team.
http://www.theregister.co.uk/2014/10/29/microsoft_poodle_fixit_for_ie/

The MS FixIT should be left in place.

siljaline · Oct 30, 2014

(Google) Chrome set to disable and remove SSLv3 in upcoming releases

Chrome 39, due to be released in six weeks' time, will be the first step in Google's plan to remove SSLv3 support from its Chrome browser.[...]
Click to expand...

http://www.zdnet.com/chrome-set-to-disable-and-remove-sslv3-in-upcoming-releases-7000035260/

MrBrian · Dec 9, 2014

V2.1 (December 9, 2014): Microsoft is announcing the availability of SSL 3.0 fallback warnings in Internet Explorer 11. For more information see Knowledge Base Article 3013210.
Click to expand...

ronjor · Feb 10, 2015

Microsoft Security Advisory 3009008

Vulnerability in SSL 3.0 Could Allow Information Disclosure
Published: October 14, 2014 | Updated: February 10, 2015
Version: 2.2
Click to expand...

https://technet.microsoft.com/en-us/library/security/3009008

anon · Feb 17, 2015

Microsoft Security Advisory 3009008
Vulnerability in SSL 3.0 Could Allow Information Disclosure
Published: October 14, 2014 | Updated: February 16, 2015
Version: 2.3
https://technet.microsoft.com/library/security/3009008
Click to expand...

Q. With the 3021952 update of February 11, 2015, SSL 3.0 fallback attempts have been disabled by default in Internet Explorer 11. When will the SSL 3.0 protocol be disabled in Internet Explorer 11?
A. Microsoft plans to disable SSL 3.0 by default in Internet Explorer 11 with the April 14, 2015 Internet Explorer update.
Click to expand...

ronjor · Apr 14, 2015

Microsoft Security Advisory 3009008

Vulnerability in SSL 3.0 Could Allow Information Disclosure

Published: October 14, 2014 | Updated: April 14, 2015
Click to expand...

https://technet.microsoft.com/en-us/library/security/3009008

BoerenkoolMetWorst · Apr 14, 2015

ronjor said: ↑

https://technet.microsoft.com/en-us/library/security/3009008
Click to expand...

"Microsoft is announcing that with the release of security update 3038314 on April 14, 2015 SSL 3.0 is disabled by default in Internet Explorer 11. Microsoft is also announcing that SSL 3.0 will be disabled across Microsoft online services over the coming months."
Good riddance

Log in or Sign up

Microsoft Security Advisory 3009008

ronjor Global Moderator

ronjor Global Moderator

xxJackxx Registered Member

anon Registered Member

siljaline Registered Member

siljaline Registered Member

siljaline Registered Member

siljaline Registered Member

MrBrian Registered Member

ronjor Global Moderator

anon Registered Member

ronjor Global Moderator

BoerenkoolMetWorst Registered Member

Log in or Sign up

Microsoft Security Advisory 3009008

ronjor Global Moderator

ronjor Global Moderator

xxJackxx Registered Member

anon Registered Member

siljaline Registered Member

siljaline Registered Member

siljaline Registered Member

siljaline Registered Member

MrBrian Registered Member

ronjor Global Moderator

anon Registered Member

ronjor Global Moderator

BoerenkoolMetWorst Registered Member

Useful Searches