Geeks With Blogs

News FAQ on the correct forum to post at: http://forums.asp.net/p/1337412/2699239.aspx#2699239
Tatworth

At http://www.wservernews.com/, Windows Server News has published an excellent series of links on POODLE for Windows Admins. Here is a copy of their links.

Things just seem to keep getting worse in IT, don't they? Just when you thought you had a handle on the ShellShock vulnerability a.k.a. BASH bug, another gaping flaw in the underlying protocols of the Internet raises its nasty head. So what is POODLE? Why should we worry about it? Can it affect Windows-based environments? If so, what can we do about it?

What is POODLE?

It's basically a flaw in version 3.0 of the SSL protocol which used to be the standard for encrypting web traffic but has since been superseded by an updated protocol named TLS.

Should I be worried?

If your company or organization does business over the web then you should probably be worried for two reasons. First, while your web servers are likely configured to use TLS by default for encrypting web traffic, they are also likely configured to fall back to using SSL 3.0 should negotiation between your web server and a customer's web browser fail with TLS for some reason. Second, if your users need to securely connect with their web browsers to any web servers that are outside your control, those web servers are vulnerable for the same reason described above. And if those web servers beyond your control get compromised, then users connecting to them are potentially exposed to various kinds of information disclosure attacks.

I want to know more about POODLE

Want to learn more about how POODLE works? Here is the original announcement concerning this vulnerability on the Google Online Security Blog:

http://www.wservernews.com/go/1414409473798

The above blog post references a security advisory published on OpenSSL.org by some members of the Google Security Team (PDF file):

http://www.wservernews.com/go/1414409475392

StackExchange also has an excellent "in a nutshell" explanation of how POODLE works:

http://www.wservernews.com/go/1414409477517

OK what should I do?

There are basically two things you can do to protect your assets against POODLE:

  • Disable SSL 3.0 on all systems, platforms, and products you own and manage.
  • Apply any patches released by vendors to address this vulnerability.

What about Microsoft products?

SSL 3.0 is still supported (available for fallback purposes) in the following Microsoft products:

  • All versions of the Windows operating system including both client and server versions
  • Internet Information Services (IIS) web server role on the Windows Server platform
  • Internet Explorer web browser on all versions of Windows

Yikes! OK how can I disable SSL 3.0 on Microsoft products?

See the Suggested Actions section of Microsoft Security Advisory 3009008 for some general workarounds (requires Windows ID sign-in):

http://www.wservernews.com/go/1414409480923

This thread on ServerFault may also be helpful especially with regard to IIS:

http://www.wservernews.com/go/1414409483204

And this tweet by Microsoft MVP Eric Lawrence shows an easy way users can disable SSL 3.0 if they use Internet Explorer as their web browser:

http://www.wservernews.com/go/1414409485501

Eric later followed this up with another tweet:

http://www.wservernews.com/go/1414409488298

What about other web servers and web browsers?

Scott Helme has a terrific post on his blog describing how to disable SSL 3.0 on:

  • Web servers like Apache, NginX, and IIS
  • Web browsers like Firefox, Chrome and Internet Explorer

Here is Scott's post:

http://www.wservernews.com/go/1414409490376

Scott's article also includes links to sites where you can test your web server or web browser to ensure they have SSL 3.0 disabled.

George Chetcuti also published a note about the POODLE exploit on his blog on WindowsSecurity.com:

http://www.wservernews.com/go/1414409492376

At the end of George's note he says "Go here to find out how to disable SSLv3 support in your browser" and points you to another good article that describes how to disable SSLv3 on various browser platforms:

http://www.wservernews.com/go/1414409495157

Anything more for Windows admins?

We've found a few threads on various Microsoft forums that you might want to keep an eye on:

Posted on Monday, October 27, 2014 9:56 PM | Back to top


Comments on this post: POODLE for Windows admins

No comments posted yet.
Your comment:
 (will show your gravatar)


Copyright © TATWORTH | Powered by: GeeksWithBlogs.net