Microsoft has issued new guidance on the POODLE (Padding Oracle On Downgraded Legacy Encryption) SSL vulnerability, including a one-click utility that can automatically disable SSL 3.0 in Internet Explorer.
The Fix It utility, which was released on Wednesday, is a reversible workaround for all versions of Redmond's browser from IE6 through IE11 – although sticking with buggy, ancient IE6 still really isn't a good idea.
"If you are currently using older versions of IE, such as IE 6, we recommend you upgrade to a newer browser as soon as possible, in addition to using the Fix it released today," Redmond said in a security advisory, while throwing in a plug for its latest, IE11.
In addition, Microsoft says it is planning to issue updates that will disable fallback to SSL 3.0 in IE, then disable SSL 3.0 in IE altogether by default, within the coming months.
The reason for the slow response is the usual: some customers might not be able to upgrade their web services quickly enough to shut off SSL 3.0 support in IE all at once.
"Millions of people and thousands of organizations around the world rely on our products and services every day, and while the number of systems that rely on SSL 3.0 exclusively is very small, we recognize that, particularly for enterprises, disabling the protocol may cause some impact," Microsoft's Security Response Center team said.
Redmond plans to waste no time updating its own online services, however. The software giant says it will begin disabling SSL 3.0 support in both Office 365 and its Azure cloud services on December 1, meaning customers will need to use the POODLE-proof TLS 1.0 protocol or later to connect.
"This may require certain client/browser combinations to be updated," Microsoft security engineer Ben Ridgway observed in a blog post – which mostly means out-of-date versions of IE could have problems.
Most customers really should work on migrating to a modern version of whatever browser they use, though. Although TLS 1.0 will still be supported once Azure and Office 365 cut off SSL 3.0 support, the Internet Engineering Taskforce considers that version to be obsolete. To be as secure as you can be, you'll want software that supports the current version, TLS 1.2.
Most of you seem to have got the message by now, though. Microsoft says its own analysis shows that "very few" customers are connecting to its services via SSL 3.0 today. ®