Vulnerability in SSL 3.0 Could Allow Information Disclosure

De Master Yoda

Microsoft Security Advisory 3009008
Vulnerability in SSL 3.0 Could Allow Information Disclosure

Published: October 14, 2014 | Updated: October 29, 2014

Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.

Microsoft is announcing that SSL 3.0 will be disabled in the default configuration of Internet Explorer and across Microsoft online services over the coming months. We recommend customers migrate clients and services to more secure security protocols, such as TLS 1.0, TLS 1.1 or TLS 1.2.

Mitigating Factors:

The attacker must make several hundred HTTPS requests before the attack could be successful.
TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Recommendation. Please see the Suggested Actions section of this advisory for workarounds to disable SSL 3.0. Microsoft recommends customers use these workarounds to test their clients and services for the usage of SSL 3.0 and start migrating accordingly.