Business Solutions & Software Group Blog

Business Solutions & Software Group Blog

Business Solutions & Software Group has been serving the Coral Springs area since 1997, providing IT Support such as technical helpdesk support, computer support, and consulting to small and medium-sized businesses.
Font size: +

Microsoft Fixes Dangerous POODLE SSL Vulnerability

b2ap3_thumbnail_Poodles_400.jpgA while back we discussed the POODLE vulnerability found in SSL 3.0 SSL encryption technology. This vulnerability is found in all operating systems, as it is found within the web browser’s abilities to process SSL encryption. Thankfully, major companies are stepping up to tackle the issue, and Microsoft has released a basic solution to fix the vulnerability in Internet Explorer.

The POODLE vulnerability itself is used to obtain information encrypted with SSL technology by analyzing web traffic. This technique is used to steal information such as credit card numbers, Social Security numbers or other private information. In non-tech speak, SSL (Secure Socket Layers) is an encryption protocol used to keep data safe on the web through security certificates. This method of encryption has long since been replaced by the more secure protocol TLS (Transport Layer Security), but several systems will revert back to their old SSL certificates in the event something has gone wrong with their TLS. TLS isn’t vulnerable to this issue, so in theory, a hacker could force their way into a network, exploiting the traffic coming in and out of the network for any worthwhile information.

According to the Microsoft security advisory, hackers exploit a man-in-the-middle attack to take advantage of this vulnerability:

In a man-in-the-middle (MiTM) attack, an attacker could downgrade an encrypted TLS session forcing clients to use SSL 3.0 and then force the browser to execute malicious code. This code sends several requests to a target HTTPS website, where cookies are sent automatically if a previous authenticated session exists. This is a required condition in order to exploit this vulnerability. The attacker could then intercept this HTTPS traffic, and by exploiting a weakness in the CBC block cipher in SSL 3.0, could decrypt portions of the encrypted traffic (e.g. authentication cookies).

Due to the nature of POODLE as a design flaw, it’s not something that can easily be patched. Therefore, most experts are saying that you’re better off disabling SSL 3.0 for their web browsers. Most servers don’t rely on SSL 3.0 anymore, which makes it obsolete. In fact, most major browsers are looking to disable SSL 3.0 completely within the next few months. Firefox is fixing the issue with the November upgrade, while Google is working to disable SSL 3.0 on all of its products. This makes the vulnerability obsolete for two of the biggest browsers, but what about Internet Explorer?

Turns out Microsoft has a way to fix that one, too. Microsoft has released a Fix It tool, which can help users disable SSL 3.0 without navigating through their Control Panel. Just click here for the tool on their official website. Otherwise, you must disable SSL 3.0 and enable TLS 1.0, 1.1, and 1.2. Follow these steps to do so:

poodle in blog 1

In the Internet Explorer Tools menu (or your PC’s Control Panel), click Internet Options.

poodle in blog 2

In the Internet Options window, click the Advanced tab.

poodle in blog 3

Scroll down to the Security section. Notice there are checkboxes next to the available SSL and TLS options. Uncheck Use SSL 3.0, and check the following: TLS 1.0, TLS 1.1, and TLS 1.2. Be sure to check all of the TLS versions. Failing to do so could result in connection errors.

Finally, click OK, exit, and restart Internet Explorer. This allows Internet Explorer to refuse a connection with any servers which only support SSL, which ensures that the web traffic isn’t vulnerable to the POODLE vulnerability.

Business Solutions & Software Group believes that quality security is key to a minimal-risk online environment. This fix isn’t a viable replacement for the latest security updates and patches, so you will want to ensure that you are always running the most up-to-date versions of your software, applications, and especially your operating system.

Business Solutions & Software Group can apply all of these patches for your business’s systems so you don’t have to. Call us today at (954) 575-3992 to learn more.

 

Comments

No comments made yet. Be the first to submit a comment
Guest
Already Registered? Login Here
Tuesday, 03 December 2024

Captcha Image

About Business Solutions & Software Group

Business Solutions & Software Group has been serving the South Florida area since 1997, providing IT Support such as technical helpdesk support, computer support and consulting to small and medium-sized businesses. Our experience has allowed us to build and develop the infrastructure needed to keep our prices affordable and our clients up and running.

get a free quote

Recent News

Business Solutions & Software Group is proud to announce the launch of our new website at www.bssgcorp.com. The goal of the new website is to make it easier for our existing clients to submit and manage support requests, and provide more information about our services for ...

Contact Us

10211 W Sample Road Suite 114
Coral Springs, Florida 33065

Mon to Fri 9:00am to 6:00pm

help@itcloud360.com

(954) 575-3992