Microsoft released a Fix It tool for users to disable SSL 3.0 in all supported versions of Internet Explorer in light of a vulnerability affecting the protocol.
Microsoft also said it will work to disable fallback to SSL 3.0 and disable SSL 3.0 by default in Internet Explorer (IE) and Microsoft online services.
“Millions of people and thousands of organizations around the world rely on our products and services every day, and while the number of systems that rely on SSL 3.0 exclusively is very small, we recognize that, particularly for enterprises, disabling the protocol may cause some impact,” said Tracey Pretorius, director of communications for Microsoft’s Security Response Center. “That’s why we’re taking a planned approach to this issue and providing customers with advance notice.”
While the security of SSL 3.0 has come in question in the past, it burst into the spotlight with the revelation of the Poodle (Padding Oracle On Downgraded Legacy Encryption) attack in October. The vulnerability allows a man-in-the-middle attacker to decrypt secure HTTP cookies.
Starting Dec. 1, Office 365 and Azure will begin disabling support for SSL 3.0. In addition, all client/browser combinations will need to utilize TLS 1.0 or higher to connect to Azure and Office 365 services without issues. This may require certain client/browser combinations to go through an update, Microsoft said.
“If you are currently using older versions of IE, such as IE 6, we recommend you upgrade to a newer browser as soon as possible, in addition to using the Fix it,” Pretorius said.