News

Microsoft Planning To Disable SSL 3.0 Support in December

Microsoft gave notice today that it will disable Secure Sockets Layer (SSL) 3.0 support in its Internet Explorer browser and in its Online Services, starting on Dec. 1, 2014.

The announcement ramps up Microsoft's earlier advice to organizations about the SSL 3.0 vulnerability by establishing a firm cut-off date. SSL 3.0 is an older encryption standard that's associated with the HTTPS method for securing Web traffic. Researchers discovered a flaw in SSL 3.0 that can be exploited to carry out so-called "man-in-the-middle"-type attacks, which can lead to the exposure of security information, such as authentication cookies.

The SSL 3.0 exploit is thought to be difficult to carry out. An attacker would have to run hundreds of HTTPS requests to gain the information. But it looks like Microsoft is opting to be proactive in shutting it down, based on today's announcement.

"Although analysis of connections to Microsoft online services shows very few customers still use SSL 3.0, we are providing customers with advance notice of this change so they can update their impacted clients prior to us disabling SSL 3.0," Microsoft's announcement explained.

In response to the vulnerability, Microsoft issued Security Advisory 3009008 earlier this month, which indicates that Windows and Windows Server can be affected by the SSL 3.0 flaw. The security advisory includes workaround advice for disabling SSL 3.0 in both IE and Windows. The SSL 3.0 flaw can also affect Azure Websites and Roles, as well as Virtual Machines.

Today, Microsoft revised that security advisory to include a downloadable "Fix it" MSI file, which is designed to make it easier to disable SSL 3.0 in IE versions. The Fix it can be accessed in this Knowledge Base article.

Microsoft's decision to cut off SSL 3.0 support in December means that IE browsers used with Azure and Office 365 services will have to use the Transport Layer Security (TLS) 1.0, or higher, protocol, going forward. Users might experience connection problems otherwise. The TLS protocol doesn't have this security flaw.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.

Featured

  • Microsoft Warns IT Pros on Windows Netlogon Fix Coming Next Month

    Microsoft on Thursday issued a reminder to organizations to ensure that their systems are properly patched for a "Critical"-rated Windows Netlogon vulnerability before next month's "update Tuesday" patch distribution arrives.

  • Microsoft Nudging Skype for Business Users to Teams

    Microsoft on Thursday announced some perks and prods for Skype for Business unified communications users, with the aim of moving them to the Microsoft Teams collaboration service instead.

  • How To Improve Windows 10's Sound and Video Quality

    Windows 10 comes with built-in tools that can help users get the most out of their sound and video hardware.

  • Microsoft Offers More 'Solorigate' Advice Using Microsoft 365 Defender Tools

    Microsoft issued yet another article with advice on how to use its Microsoft 365 Defender suite of tools to protect against "Solorigate" advanced persistent threat types of attacks in a Thursday announcement.

comments powered by Disqus