Microsoft Planning To Disable SSL 3.0 Support in December

Microsoft gave notice today that it will disable Secure Sockets Layer (SSL) 3.0 support in its Internet Explorer browser and in its Online Services, starting on Dec. 1, 2014.

The announcement ramps up Microsoft's earlier advice to organizations about the SSL 3.0 vulnerability by establishing a firm cut-off date. SSL 3.0 is an older encryption standard that's associated with the HTTPS method for securing Web traffic. Researchers discovered a flaw in SSL 3.0 that can be exploited to carry out so-called "man-in-the-middle"-type attacks, which can lead to the exposure of security information, such as authentication cookies.

The SSL 3.0 exploit is thought to be difficult to carry out. An attacker would have to run hundreds of HTTPS requests to gain the information. But it looks like Microsoft is opting to be proactive in shutting it down, based on today's announcement.

"Although analysis of connections to Microsoft online services shows very few customers still use SSL 3.0, we are providing customers with advance notice of this change so they can update their impacted clients prior to us disabling SSL 3.0," Microsoft's announcement explained.

In response to the vulnerability, Microsoft issued Security Advisory 3009008 earlier this month, which indicates that Windows and Windows Server can be affected by the SSL 3.0 flaw. The security advisory includes workaround advice for disabling SSL 3.0 in both IE and Windows. The SSL 3.0 flaw can also affect Azure Websites and Roles, as well as Virtual Machines.

Today, Microsoft revised that security advisory to include a downloadable "Fix it" MSI file, which is designed to make it easier to disable SSL 3.0 in IE versions. The Fix it can be accessed in this Knowledge Base article.

Microsoft's decision to cut off SSL 3.0 support in December means that IE browsers used with Azure and Office 365 services will have to use the Transport Layer Security (TLS) 1.0, or higher, protocol, going forward. Users might experience connection problems otherwise. The TLS protocol doesn't have this security flaw.

About the Author

Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.


  • Office 365 Attack Simulator Now Supports Attachments

    The Attack Simulator in Office 365 tool has been updated and now has the ability to include message attachments in targeted campaigns, according to a Friday Microsoft announcement.

  • How To Disable Touch Input in Windows 10

    When the touchscreen on your Windows 10 laptop goes bad, there's no reason to throw that baby out with the bath water.

  • Microsoft Previews Windows VM Authentications via Azure Active Directory

    Microsoft on Thursday announced a preview of remote authentications into Windows-based Azure virtual machines (VMs) using Azure AD credentials.

  • Windows Server 20H1 Getting Smaller Containers and Faster PowerShell

    Microsoft is promising to deliver a smaller container size and improved PowerShell performance with its next release of Windows Server.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.