SA 3009008 to disable SSL 3.0 in MS IE
Microsoft updated SA 3009008 security notification with the release of the FixIt tool to automatically block the SSL 3.0 encryption protocol setting in Internet Explorer. The release is related to the vulnerability discovered CVE-2014-3566 two weeks ago (aka POODLE). The vulnerability applies to all supported versions of Windows, from outdated Windows 2003 Server SP2 to Windows 8 / 8.1 - RT 8.1. The fixit tool can be downloaded from this link .
Vulnerability in SSL 3.0 Could Allow Information Disclosure
')
The mentioned vulnerability CVE-2014-3566 ( P adding O racle O n D owngraded L egacy E ncryption) does not apply to common vulnerabilities that are found specifically in Microsoft products. It refers to the type of so-called. "Industry-wide vulnerability" and something similar to the previously discovered very dangerous vulnerability Heartbleed . But in the case of POODLE, the situation is less critical.
The vulnerability itself lies in the fact that it allows attackers to intervene in the process of establishing an SSL 3.0 connection between the client and the server and, in the future, intercept the data of the encrypted connection, that is, conduct an attack like Man-in-the-Middle. The vulnerability does not apply to digital certificates or their private keys that are stored on the server, so re-issuing them if you use this version of SSL is not required.
Information on manually disabling the ability to use this protocol in Windows can be found in the workaround section here .
More information about the vulnerability can be found in the detailed report of Google analysts.
Fig. IE11 on Windows 8.1 x64 using optimal security settings. The option of using SSL 3.0 encryption protocol is disabled by the system administrator settings. The automatic fixit tool and the workaround section instructions can also be used for disabling. At the same time, the use of TLS 1.0, TLS 1.1, and TLS 1.2 encryption protocols should be enabled .
Microsoft plans to soon disable the option to use SSL 3.0 by default for all versions of Internet Explorer.
be secure.
Microsoft Internet Explorer services over the coming months. We recommend security protocols such as TLS 1.0, TLS 1.1 or TLS 1.2.
Vulnerability in SSL 3.0 Could Allow Information Disclosure
')
The mentioned vulnerability CVE-2014-3566 ( P adding O racle O n D owngraded L egacy E ncryption) does not apply to common vulnerabilities that are found specifically in Microsoft products. It refers to the type of so-called. "Industry-wide vulnerability" and something similar to the previously discovered very dangerous vulnerability Heartbleed . But in the case of POODLE, the situation is less critical.
The vulnerability itself lies in the fact that it allows attackers to intervene in the process of establishing an SSL 3.0 connection between the client and the server and, in the future, intercept the data of the encrypted connection, that is, conduct an attack like Man-in-the-Middle. The vulnerability does not apply to digital certificates or their private keys that are stored on the server, so re-issuing them if you use this version of SSL is not required.
Information on manually disabling the ability to use this protocol in Windows can be found in the workaround section here .
More information about the vulnerability can be found in the detailed report of Google analysts.
Fig. IE11 on Windows 8.1 x64 using optimal security settings. The option of using SSL 3.0 encryption protocol is disabled by the system administrator settings. The automatic fixit tool and the workaround section instructions can also be used for disabling. At the same time, the use of TLS 1.0, TLS 1.1, and TLS 1.2 encryption protocols should be enabled .
Microsoft plans to soon disable the option to use SSL 3.0 by default for all versions of Internet Explorer.
be secure.
Source: https://habr.com/ru/post/241979/
All Articles