Oh, good, I was just sitting here thinking, I wish there was some more patching I could be doing...
Gird your loins, sysadmins: The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent. (And indeed so it turned out to be - the Poodle vuln. You heard it here first. - Ed) Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is …
Thanks you, but actually patching servers is not the worst part of the problem - Testing and arranging service outages for Production systems is the killer :-( Fortunately the bash patching didn't need any outages, but testing and signoff for the change still took time and effort
If you are using IIS you can disable SSL 3.0 (only negatively affects IE 6 users) using registry scripts/powershell. The site below (no affiliation) has a number of powershell scripts (very easy to see the registry keys from them if you want to use the registry or GPO) that can disable SSL 3.0 as well as securing up SSL for a range of issues.
Right - versus OSS software like BASH where they publish full details of the flaw (that existed for at least 2 decades) and make you wait a couple of days for a fix that actually works, so every hacker and every script kiddie is able to exploit it at will....
It's almost impossible to not have TLS support in anything that supports SSL, and this is just one more of the dozens of existing vulnerabilities in SSL 3. Even TLS 1.0 is past its prime and needs to be replaced by 1.2 ASAP, so it's time to just turn SSL off for good.
Yes. SSL 3 is broken for serious use - it's only useful if your threat model is "don't be the low-hanging fruit".1 That's a reasonable threat model for many cases, frankly - but there's almost never a reason to support clients that don't have TLS support, unless you must support IE 6. And even then IE 6 use should be restricted to only those legacy apps that can't run in anything else, and those apps should be scheduled for replacement.
This should be moot as there is no need to offer the SSL 3.0 protocol these days, the only clients that need it are themselves broken and should be corrected, IE 6.0 or misconfigured later versions of IE against the defaults. Offering TLS 1.0, 1.1 and 1.2 is best practice, potentially even just 1.0 and 1.2 as 1.1 is unused.
For military applications, please see the Dashing White Sergeant..
Is the tech community reeling because when the vulnerability was announced they all said "Oh, fox-trot."?
For full cover, make sure you strip the Window(s)
Strictly not IT, but it's that kind of day - a tweet this morning from RPi said "I'd tell you a joke about UDP but you may not get it" so blame them.
". A dangerous worm has been discovered exploiting a zero-day flaw (CVE 2014-4114) in all versions of Microsoft Windows and Server 2008 and 2012."
Erm, no. That vulnerability is in the OLE package manager and requires social engineering and user interaction to exploit so it is not possible to turn into a worm.
Biting the hand that feeds IT © 1998–2021