Summary: By default, Internet Explorer on Windows client systems supports SSL version 3.0, the version recently found vulnerable to attack. Now there’s another way to turn it off.
By Larry Seltzer for Zero Day
Microsoft has released a Fix It to disable the feature which was the subject of the POODLE attack. The Fix It, a program which implements changes in the registry, makes the process simpler than the alternatives.
POODLE is the name given to a vulnerability in SSL version 3.0 found earlier this month by a Google researcher. SSL was supplanted by TLS and the current version is 1.2, but systems may fall back to older versions if the server does not support the newer ones.
POODLE is a design flaw in SSL/TLS and so there is no patch to fix the bug. Instead, vendors are disabling support for SSL 3.0, a protocol which is old and deprecated anyway. The number of server systems which require SSL 3.0 is said to be small, but users of those servers will start having problems connecting as client systems begin to have their SSL 3.0 support removed.
Disabling SSLv3 support for Internet Explorer wasn’t all that hard without the Fix It. Users could do so by unchecking the “Use SSL 3.0” option in the Advanced tab of the Tools-Internet Options dialog box. A group policy setting is available for managed environments (Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Turn off encryption support).
Google has said that it will remove SSL 3.0 support from all their client products over the next few months. The next version of Firefox (due November 25) will disable SSL 3.0 completely. In the meantime, Mozilla has created an SSL Version Control add-on to allow users to disable the feature.