News

Microsoft Issues Advice on SSL 3.0 Security Vulnerability

• By Kurt Mackie
• 10/21/2014

Microsoft is offering more guidance regarding a Secure Sockets Layer (SSL) 3.0 security flaw, including how to disable SSL 3.0 for users of Exchange Server and Azure Websites.

SSL 3.0 is an encryption standard that's used to secure Web traffic using the HTTPS method. It has a flaw that could allow an attacker to decrypt information, such as authentication cookies, according to Microsoft. The U.S. Computer Emergency Readiness Team (US-CERT) issued a notice about SSL 3.0 earlier this month. The flaw was first disclosed by researchers using a Padding Oracle on Downgraded Legacy Encryption (POODLE) type of attack.

The POODLE attack compels the use of the flawed SSL 3.0 protocol, enabling the exploit. SSL 3.0 is an older protocol that's largely being replaced by the Transport Layer Security (TLS) protocol, which doesn't have this security flaw, according to US-CERT.

For the SSL 3.0 flaw to be exploited, attackers have to conduct a so-called "man-in-the-middle" kind of attack, so the exploit is considered difficult to pull off. However, it could be exploited more easily in networks subject to those kinds of attacks, such as Wi-Fi networks, according to US-CERT.

Microsoft's Advice
On October 14, Microsoft issued a security advisory noting that all supported Windows Server software uses the SSL 3.0 protocol and are "affected by this vulnerability." The advisory added that the vulnerability was "not considered high risk to customers." The SSL 3.0 flaw isn't considered to be a high-risk problem because attackers would have to make "several hundred HTTPS requests before the attack could be successful," according to Microsoft.

Microsoft's advisory offers workarounds that include disabling SSL 3.0 in Internet Explorer and in Windows. However, doing so will cause browser clients that rely on SSL 3.0 to fail in their server connections.

Microsoft recently offered additional advice for addressing the SSL 3.0 vulnerability, particularly for those using Exchange Server 2010 or Exchange Server 2013, as well as Azure Websites, Roles and Windows Virtual Machines.

For Exchange Server users, disabling SSL 3.0 on Windows Server will affect users with clients that don't support the more current TLS protocol, according to Microsoft. They won't be able to connect to the server. It will also affect other software, such as IIS, that might not support TLS. Users can test whether their browser clients are subject to POODLE attacks via this test page, according to Microsoft's announcement.

URL Rewrite Rule
Microsoft also indicated that Azure Websites, Roles and Windows Virtual Machines enable the SSL 3.0 protocol by default. SSL 3.0 can be disabled for those solutions, although Microsoft cautions that "we encourage customers to evaluate the risk of regression before implementing these changes." Alternatively, IT pros can "configure a custom action" should a browser attempt to establish an SSL 3.0 connection. The custom action can be set up using a code snippet, called a "URL rewrite rule," that's provided by Microsoft.

Security expert and Microsoft MVP, Troy Hunt, prefers using the URL rewrite rule over disabling SSL 3.0 on Azure. The reason is that disabling SSL 3.0 likely will cause connection problems for a small number of users. By using the URL rewrite rule, the SSL 3.0 connection is still made, but the attacker doesn't get the information needed to conduct an exploit, Hunt explained, in a blog post.

Hunt doesn't recommend ignoring the SSL 3.0 flaw. "Yes, this means that taking no action leaves you vulnerable," he wrote.