Security

Microsoft lets YOU kill POODLE in Protected Mode sites

Christmas gift to be default by Feb

Microsoft has granted sysadmins the ability to kill exposure to rabid POODLE websites under SSL 3.0 for Internet Explorer Protected Mode sites.

The Christmas gift will be switched on by default from February next year as Redmond moves to euthanised the Padding Oracle on Downgrade Legacy Encryption attack across its web presences.

Microsoft said the POODLE-killing option, delivered as part of its Patch Tuesday packages, would close of the albeit small risk of malicious fall back from TLS to SSL 3.0

"To continue to help protect customers, we are taking the interim step to provide the option to disable SSL 3.0 fallback in Internet Explorer 11 for Protected Mode sites, which is the default for Internet sites and Restricted sites," the company said in post.

"This change is currently off by default, and we plan to turn it on by default in Internet Explorer 11 on February 10, 2015.

"By interfering with the connection between the target client and server, a man-in-the-middle can force a downgrade from TLS 1.0 or newer, more secure protocols, to the SSL 3.0 protocol."

Most instances of fall back attacks from TLS 1.0 to SSL 3.0 were innocent error, but "indistinguishable from a man-in-the-middle attack," it said.

The configuration change could be applied through Group Policy or using Microsoft's Fix It tool.

Redmond's feature will make it harder for attackers to target organisations by exploiting weaknesses in the design of SSL 3.0 to snatch victims' secret session cookies. These can be used to log into online accounts, such as webmail, social networks, and so on.

It was delivered under Microsoft's Patch Tuesday bulletin that plugged 25 software holes including flaws that allowed attackers to exploit Internet Explorer, Word and Excel files, and Visual Basic scripts.

The POODLE attack was first described in a document [PDF] and in further detail in a lauded technical write-up by Google engineer Adam Langley.

Users can test their browsers against POODLE using an online tool.

Microsoft's move comes as Google security bod Adam Langley dropped news that POODLE still affected some of its infrastructure. ®

Sponsored: The world has changed, has your IAM strategy?