back to article Bad dog: Redmond's new IE tool KILLS POODLE with one shot

Microsoft has issued new guidance on the POODLE (Padding Oracle On Downgraded Legacy Encryption) SSL vulnerability, including a one-click utility that can automatically disable SSL 3.0 in Internet Explorer. The Fix It utility, which was released on Wednesday, is a reversible workaround for all versions of Redmond's browser …

  1. NoneSuch Silver badge

    Alternate article title

    Redmond screws the pooch.

    1. Oninoshiko

      Re: Alternate article title

      I think you mean: "Redmond unscrews the pooch"

  2. Solmyr ibn Wali Barad

    Grumble, moan.

    Serves you right, whippersnappers, for using these newfangled SSL thingies. If you want to live on the bleeding edge, you're going to bleed a lot.

    Now get off my lawn!

    1. Trevor_Pott Gold badge

      Re: Grumble, moan.

      SSL = ancient. TLS = slightly less ancient and currently in use.

  3. Anonymous Coward

    Might try this

    If someone can remind me how to fire up IE.

    1. CaptainBanjax

      Re: Might try this

      I just checked /usr/bin cant see it. Sorry for not helping.

      Will they be releasing this fix as a deb package?

      1. Anonymous Coward
        Anonymous Coward

        Re: Might try this

        Hey, there was a time where MS tried to port IE to *nix when Netscape ruled the roost. However IE was very slow, screwed up the content, and crashed often and repeatedly. So, no change then!

        1. Justin Goldberg

          Re: Might try this

          Hah, they could have made half-hearted ports of Netscape to everything out there, VMS, Amiga, Sun (actually I believe there was sunos and hpux ie versions?) to get microsoft to waste their resources on porting!

    2. Anonymous Coward
      Anonymous Coward

      Re: Might try this

      It'll probably be somewhere in your start menu. I fired up IE8 on XP yesterday just to use the good version of Google Maps ;)

  4. Anonymous Coward
    Anonymous Coward

    Thank god they've done this - I don't want to be MITM'd while downloading the proper browser.

    1. Anonymous Coward
      Anonymous Coward

      I use IE, and Iron and Firefox (used to use Opera, but due to their inability to grasp corporate proxies gave up).

      I've yet to find a single one that will work properly on all websites and internal kit that requires web access (and no nothing to do with ie6 compatibility).

      These days, as much as I hate to say, I'm finding ie10 about the most compatible.

      So feel free to pretend you have found the ultimate browser, because I've yet to.

      The great thing about standards is there are so many of them.

    2. Justin Goldberg

      Don't download the fix through TOR, hah!

  5. John Smith 19 Gold badge

    Read that as...

    "a one-click utility that can automatically disable Internet Explorer."

    But I can do that already.

  6. Anonymous Coward
    Anonymous Coward

    Am I right in thinking ...

    ... that if I go into Firefox's about:config and change security.tls.version.min from 0 to 1, and I then get "Error code: ssl_error_no_cypher_overlap" when I try to connect to a website, that website should be avoided, especially from public networks, because it is vulnerable to POODLE? And does that mean if I apply the IE fix I won't be able to reach it either?

    Good job it's only our corporate web mail server.

  7. Brian Souder 1

    Test Site

    I ran the patch and then tested against this site:

    Your user agent is vulnerable. You should disable SSL 3.

    Anyone else getting similar results?

    Parent Link to above test site:

  8. Brian Souder 1

    Might Have Been My Fault and Manual disable

    Actually - I found an extra IE Window tucked behind another window. After I closed all open sessions of IE and ran again it seemed to fix it. Out of curiosity I tried the site with the latest version of Chrome and it was vulnerable. I found these instructions for disabling it manually.

  9. Tim 11

    Microsoft's own servers

    I think you've missed the point here.

    Assuming Microsoft's own servers haven't been compromised, counting the number of people who connect with SSL3 is only counting those incapable of better security (basically IE6 users). The point of the poodle vulnerability is that anyone capable of downgrading to SSL3 (i.e. the vast majority of people) is vulnerable even if they use a higher security by default.

    1. Brian Souder 1

      Re: Microsoft's own servers

      "The point of the poodle vulnerability is that anyone capable of downgrading to SSL3 (i.e. the vast majority of people) is vulnerable even if they use a higher security by default."

      Yes - this patch and the info I posted above here prevent your own browser from being downgraded to SSL 3. Obviously we can't control where users are going. Most servers out there are using the higher protocol as their start point.

      The security info I am trying to find now is if their VPN tunnel like on Server 2012 anywhere access has been patched yet. If not, how do I turn it off on my end in case someone uses an older browser or something.

  10. Brian Souder 1

    IE 8

    I am trying to patch some XP machines right now that have not been upgraded yet. After I run the patch and the test - the test site says SSL 3 YES* - but the test box at the top just keeps swirling with no official response. I wonder if the patch does not apply to IE 8.

  11. Brian Souder 1


    To be clear - I do realize if you read the KB it does not list XP, but I would assume that since support for XP is dropped. It does say Server 200; it should in theory patch IE8 on Server 2003 then. One would think it should do the same on XP.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like