Jump to content

Security Advisory 3009008 updated


Recommended Posts

Guest MSRC Team
Posted

 

Today, we announced the availability of SSL 3.0 fallback warnings in Internet Explorer (IE) 11. For more information please visit the IE blog.

 

 

We have also published an update on the status of the changes we have made to our Azure offerings in response to the SSL 3.0 vulnerability. For more information please visit the Azure blog.

 

 

 

Tracey Pretorius

Director, Response Communications

 

 

UPDATE October 29, 2014: Today, we revised Security Advisory 3009008 to provide an easy, one-click Fix it for customers to disable SSL 3.0 in all supported versions of Internet Explorer (IE).

 

We are committed to helping protect our customers and providing the best possible encryption to protect their data. To do this, we’re working to disable fallback to SSL 3.0 in IE, and disable SSL 3.0 by default in IE, and across Microsoft online services, over the coming months.

 

Millions of people and thousands of organizations around the world rely on our products and services every day, and while the number of systems that rely on SSL 3.0 exclusively is very small, we recognize that, particularly for enterprises, disabling the protocol may cause some impact. That’s why we’re taking a planned approach to this issue and providing customers with advance notice.

 

We encourage everyone to use the workarounds and Fix it provided in Security Advisory 3009008 to investigate their websites, services and third-party applications now, and begin preparing for this change.

 

If you are currently using older versions of IE, such as IE 6, we recommend you upgrade to a newer browser as soon as possible, in addition to using the Fix it released today. IE 11 is our latest and most secure browser and customers who upgrade will continue to benefit from additional security features.

 

Please visit our Azure and Office 365 blogs for more detailed plans.

 

We’re taking ongoing steps to help ensure customers are protected on the Internet, and we’ll continue to provide updates on this journey over the coming months.

 

UPDATE October 19, 2014: Today, we published guidance on how to disable SSL 3.0 in Azure Websites, Roles, and Virtual Machines. For more information, please visit the Azure blog.

 

Original post October 14, 2014: Security Advisory 3009008 released

Today, we released Security Advisory 3009008 to address a vulnerability in Secure Sockets Layer (SSL) 3.0 which could allow information disclosure. This is an industry-wide vulnerability that affects the protocol itself, and is not specific to Microsoft’s implementation of SSL or the Windows operating system.

 

This advisory provides guidance for customers so that they can disable SSL 3.0 in the browser. Customers should be aware that once they disable SSL 3.0, if they visit a website that supports only SSL 3.0 and does not support newer encryption protocols, they will receive a connection error message and will not be able to connect to that website.

 

 

1463e55c6090a87afe118e4500702d83._.gif

 

Continue reading...

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...