Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

SSL 3.0 vulnerability discovered?


  • Please log in to reply
10 replies to this topic

#1 x64

x64

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:02:33 PM

Posted 14 October 2014 - 06:26 AM

According to UK Tech news site "The Register", a serious SSL3.0 vulnerability has been discovered, with technical details being withheld until patches are ready.

 

Not a lot of information to go on yet, but it looks like a case of "here we go again!".

 

http://www.theregister.co.uk/2014/10/14/nasty_ssl_30_vulnerability_to_drop_tomorrow/

 

x64


Edited by Platypus, 30 October 2014 - 07:27 AM.


BC AdBot (Login to Remove)

 


#2 x64

x64
  • Topic Starter

  • Members
  • 352 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London UK
  • Local time:02:33 PM

Posted 15 October 2014 - 02:44 AM

More information about the vulnerability is now availilable. Google have dubbed it the "Poodle" flaw

 

http://www.theregister.co.uk/2014/10/14/google_drops_ssl_30_poodle_vulnerability/

 

It seems to be a rotocol design flaw rather than a bug in a common implemetaiond, so it is probably not a patching process that will be required, but probably the implementation of mittigation measures (which include disabling SSL 3.0 iin some situations) Hmmmm....

 

x64



#3 Genex17

Genex17

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:33 AM

Posted 15 October 2014 - 07:03 AM

There's a browser check for this flaw: https://www.poodletest.com/

 

Firefox 33 passes, Safari 7.1 and Chrome 38 (updated) all running on OSX 10.9.5 does not.


Edited by Genex17, 15 October 2014 - 07:11 AM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:33 AM

Posted 15 October 2014 - 01:53 PM


The POODLE Attack and the End of SSL 3.0

SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information.

We have a plan to turn off SSLv3 in Firefox. This plan was developed with other browser vendors after a team at Google discovered a critical flaw in SSLv3, which can allow an attacker to extract secret information from inside of an encrypted transaction.


Firefox SSL Version Control

SSLv3 is now insecure, and is soon going to be disabled by default.

In the meantime, you can use this extension to turn off SSLv3 in your copy of Firefox. When you install the add-on, it will set the minimum TLS version to TLS 1.0 (disabling SSLv3). If you want to change that setting later, like if you really need to access an SSLv3 site, just go to Tools / Add-ons and click the "Preferences" button next to the add-on. That will give you a drop-down menu to select the minimum TLS version you want to allow.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 15 October 2014 - 04:35 PM

I can also recommend SANS' info:

 

https://isc.sans.edu/forums/diary/OpenSSL+SSLv3+POODLE+Vulnerability+Official+Release/18827

 

They created the poodletest.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#6 SpywareDoc

SpywareDoc

  • Members
  • 688 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Maryland, USA
  • Local time:09:33 AM

Posted 29 October 2014 - 06:07 PM

Microsoft has released a Fix It to disable the feature which was the subject of the POODLE attack. The Fix It, a program which implements changes in the registry, makes the process simpler than the alternatives.



#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:33 AM

Posted 29 October 2014 - 06:24 PM

The Microsoft Fix it is for Internet Explorer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,018 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:10:33 AM

Posted 29 October 2014 - 11:01 PM

I passed the poodletest that my colleague, Didier Stevens kindly provided us a link to check with, using the Google Chrome browser, however I'm on Linux Mint 17 at the moment. For the purpose of having a secure OS. 

 

Will need to check this on my Windows installs to make sure those passes also. 

 

Thanks for the link, Didier! :thumbup2:

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,753 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:33 PM

Posted 30 October 2014 - 01:57 PM

You're welcome Cat!

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Senior Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2019
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,854 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:01:33 AM

Posted 09 December 2014 - 03:39 PM

 

If you remember the Poodle vulnerability which was discovered in October, 2014, you did remember that Google had taken action to contain it on SSLv3 ciphers and done away with the obsolete system(Chrome 40 is scheduled to remove SSLv3 completely while Firefox 34, released Dec 1st has already removed SSLv3 support).  But today security research lab Qualys revealed that the Poodle vulnerability was far from over.

Qualys says that the Poodle vulnerability has resurfaced again, this time in the Transaction Layer Security (TLS).  The new vulnerability which has been designated CVC-2014-8730, the threat vector exploits the same class of problem as old vulnerability.  That is making an error in handling the padding and allowing the attacker to steal steal “secure” HTTP cookies, authorization tokens and other data from the victim.

Poodle vulnerability rises again, this time in TLS

.



#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,090 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:33 AM

Posted 09 December 2014 - 06:37 PM

http://www.computerworld.com/article/2857113/the-poodle-flaw-returns-this-time-hitting-tls-security-protocol.html
http://www.theregister.co.uk/2014/12/09/zombie_poodle_wanders_in_cocks_leg_on_tls/
http://arstechnica.com/security/2014/12/meaner-poodle-bug-that-bypasses-tls-crypto-bites-10-percent-of-websites/
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users