Microsoft takes slow, cautious path to protecting IE against POODLE

10.12.2014
Microsoft yesterday added an optional anti-POODLE defense to Internet Explorer 11 (IE11), and promised that additional protection would be switched on by default in two months.

The 15-year-old flaw in SSL 3.0 -- an aged standard used to encrypt traffic between browsers and Web servers -- was disclosed two months ago by a team of Google security researchers. Criminals could exploit the vulnerability using "man-in-the-middle" attacks to make off with session cookies. Those stolen cookies would let the hackers impersonate their victims, automatically logging into sites to make online purchases, rifle through email or pilfer files from cloud storage services.

With Tuesday's update to IE11, the browser can now be set to kill what's called "SSL 3.0 fallback," a mechanism that forces the browser to switch to the buggy SSL 3.0 from more secure encryption protocols, such as TLS 1.2.

The option can be set in IE11 by editing the Windows Registry, downloading and running a small tool, or for corporate IT staffs, with the Group Policy Editor.

Starting on Feb. 10, 2015 -- that month's Patch Tuesday -- IE11 will default to disabling fallback for most sites.

Microsoft has yet to say when it's going to strip SSL 3.0 from IE, however. That's notable because other browser makers have moved much faster to dump the tired standard.

For example, Mozilla disabled SSL 3.0 in Firefox 34, which was released three weeks ago, and Google has scheduled a similar move for Chrome 40, which should ship between the end of this month and the middle of January 2015.

Apple has not ditched SSL 3.0, but in mid-October it blocked Safari's use of potentially-vulnerable cryptographic ciphers with the standard.

Opera Software has taken its own tack for its desktop browser, Opera 25, to protect against POODLE-style attacks. But it has not yet removed SSL 3.0.

Microsoft's reluctance to jump onto the "kill-SSL 3.0" bandwagon reflects its conservative approach to most browser problems, a necessity since the bulk of IE users run it in business settings. Corporations are famously adverse to change, and would likely raise a ruckus if Microsoft suddenly tossed the protocol and their employees were unable to reach work-required websites.

By tackling IE11 only, Microsoft also reminded customers that it now favors that browser, the newest available for Windows 7, Windows 8 and Windows 8.1 (and used in the Windows 10 Technical Preview as well). In August, Microsoft abruptly announced that it was giving customers until January 2016 to stop using older versions of IE.

After Jan. 12, 2016, Microsoft will support only IE11 on Windows 7, 8 and 8.1. Other browsers on those editions will no longer receive security patches.

The IE11 update was one of seven Microsoft issued Tuesday. Designated MS14-080, it patched 14 different vulnerabilities in the company's browser line. The update can be retrieved through the Windows Update service or the business-grade Windows Server Update Services (WSUS).

(www.computerworld.com)

Gregg Keizer