There’s a New Security Vulnerability Named POODLE and It’s Not Cute and Cuddly

poodleA new security hole was recently discovered in a basic protocol used for encrypting web traffic. Its name is POODLE, which stands for Padding Oracle on Downgraded Legacy Encryption, and it was discovered by three Google security researchers who published a paper about it.

POODLE affects SSLv3 or version 3 of the Secure Socket Layer protocol, which is used to encrypt traffic between a browser and a web site, or between a user’s email client and mail server. SSL is a cryptographic protocol used to provide encryption and authentication security. SSLv3 is the most recent variant – and has been widely used in browsers including Google Chrome, Mozilla Firefox, IE, Opera, and Safari. Primarily all browsers on Windows PCs, Windows Servers, Macs, tablets and smart phones may be affected. Additionally, SSLv3 is also used on Unix and Linux platforms.

This threat is not as serious as the recent Heartbleed and Shellshock vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.

To exploit the vulnerability, you must be running javascript, and the attacker has to be on the same network as you — for example, on the same public Wi-Fi network you’re using. This makes it less severe than an attack that can be conducted remotely against any computer on the Internet.

The attack works only on traffic sessions using SSLv3. Although this is an old protocol that has been replaced in many client and server configurations with TLS (Transport Layer Security), many browser clients and web servers that use TLS for connections still support SSLv3. Some products and browsers, like Internet Explorer 6 for Windows XP, only use SSLv3. There are also clients that support SSLv3 as an alternative to use whenever a TLS connection to a web server fails. An attacker could exploit this compatibility to downgrade a connection to SSLv3 and then conduct the POODLE attack to hijack your session.

“This attack is really against clients — you have to worry about it if you’re in a place like Starbucks,” says Rob Graham, CEO of Erratasec. “If you’re at home there’s probably no need to panic.”

Heartbleed and Shellshock were vulnerabilities that allowed an attacker to hack a server. POODLE instead targets the clients.

“The fear of rushing to go fix this is very low because of that,” Graham says. “People with servers can’t get hacked, and people with vulnerable clients also can’t get hacked unless they’re on an open Wi-Fi.”

RECOMMENDATIONS

Taking into consideration that this information could be overwhelming, the best practice is to upgrade older versions of browsers and disable SSLv3, as there is no other fix available at this time.

The following browsers support TLS 1.0 (and must be configured to disable SSLv3):

  • Google Chrome v1
  • Firefox v1
  • Internet Explorer v7
  • Safari v1

It is also recommended to upgrade email versions that use TLS 1.1:

  • Apple Mail (OS X Panther)
  • Outlook 2003 (SP2) or higher
  • Outlook Express 4.0 or higher
  • Thunderbird 2.0
  • Entourage 2008

First Financial updates our systems regularly and your data security is the highest priority.  Should you have any further questions or concerns regarding this matter, please contact Member Services at 866.750.0100 or email info@firstffcu.com.

Article Source: http://www.wired.com/2014/10/poodle-explained/

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s