back to article NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)

Gird your loins, sysadmins: The Register has learned that news of yet another security vulnerability - this time in SSL 3.0 - is probably imminent. (And indeed so it turned out to be - the Poodle vuln. You heard it here first. - Ed) Maintainers have kept quiet about the vulnerability in the lead-up to a patch release, which is …

  1. Alister
    Unhappy

    Oh, good, I was just sitting here thinking, I wish there was some more patching I could be doing...

    NOT!

    1. yossarianuk

      Spacewalk !

      - if you are a redhat/centos/suse based business get spacewalk (its free) - I have updated 300 + servers for the bash / heartbleed issue in one move (takes about 1 min)

      The only issue is that debian/ubuntu are really not supported.

      1. Anonymous Coward
        Anonymous Coward

        Re: Spacewalk !

        I use simple expect script (its free) and I would expect (pun intended) it works on all linux distributions.

      2. tfewster

        Re: Spacewalk !

        Thanks you, but actually patching servers is not the worst part of the problem - Testing and arranging service outages for Production systems is the killer :-( Fortunately the bash patching didn't need any outages, but testing and signoff for the change still took time and effort

    2. DaLo

      If you are using IIS you can disable SSL 3.0 (only negatively affects IE 6 users) using registry scripts/powershell. The site below (no affiliation) has a number of powershell scripts (very easy to see the registry keys from them if you want to use the registry or GPO) that can disable SSL 3.0 as well as securing up SSL for a range of issues.

      https://rootisthelimit.com/securing-ssl-configuration-in-iis/

  2. Anonymous Coward
    Anonymous Coward

    Grids your loins?????

    Gird, surely...

    1. Mark Simon

      … or …

      could be grill your loin chops

    2. Adrian Harvey
      Go

      A guide

      Indeed. For those wishing to follow the advice in the article (unless that isn't a misspelling), here is a handy illustrated guide.

    3. Simon Sharwood, Reg APAC Editor (Written by Reg staff)

      Yes. Gird. This is what happens when the US has a Bank Holiday, I have a writer on leave and I go to too many briefings on the same day ...

      1. Tom 13

        So we should gird ourselves for a grid attack. Or would you prefer for your comments to remain guarded at this time?

      2. Destroy All Monsters Silver badge
        Trollface

        "the US has a Bank Holiday"

        You know it is not really a "Holiday", it was meant to make it impossible for the hoi polloi to drain the cash out of the banks because "fractional reserves, lol!"

  3. Denarius
    Unhappy

    Enuff already !

    bring back the VT100 and serial connections. Oh hang on, they could be trojanned by key macros too. {S}

    1. Anonymous Coward
      Anonymous Coward

      Re: Enuff already !

      Don't worry about it mate! Pretty much every unix shell can be exploited just by incorrectly name files.

      Leave a file named -rf , and symlink / ; then ask your favourite admin to remove the directory .. Hilarity will surely ensue

      1. Anonymous Coward
        Anonymous Coward

        Re: Enuff already !

        How, when you have quotes or escaping?

        But a file called "*" (just an asterisk) is also funny.

      2. This post has been deleted by its author

  4. foo_bar_baz
    Devil

    Thank $deity for proprietary software

    At least it's secure unlike that open source crock.

    1. dotdavid

      Re: Thank $deity for proprietary software

      Presumably you missed the penultimate paragraph of the article

      A dangerous worm has been discovered exploiting a zero-day flaw (CVE 2014-4114) in all versions of Microsoft Windows and Server 2008 and 2012.

      1. sabroni Silver badge

        Re: A dangerous worm has been discovered

        except Worm is just the name of the team that wrote the exploit, it's not a worm. It's an exploit that requires users to download and run a compromised Powerpoint presentation. Quite unlike the Heartbleed and Shellshock exploits.

    2. anonimous

      Re: Thank $deity for proprietary software

      Err, no. In proprietary software often you don't even know about security flaws. But the hackers will.

      1. Anonymous Coward
        Anonymous Coward

        Re: Thank $deity for proprietary software

        Right - versus OSS software like BASH where they publish full details of the flaw (that existed for at least 2 decades) and make you wait a couple of days for a fix that actually works, so every hacker and every script kiddie is able to exploit it at will....

    3. Anonymous Coward
      Anonymous Coward

      Re: Thank $deity for proprietary software

      Suspect people missed the irony flags here.

      (or perhaps I did?)

    4. Anonymous Coward
      Anonymous Coward

      Re: Thank $deity for proprietary software

      If it's a flaw in SSL 3.0 design all standard implementations will be affected - proprietary or not.

      If it is a bug in a given implementation of SSL (like the Heartbleed bug), then only the buggy libraries will be affected - proprietary or not.

    5. Anonymous Coward
      FAIL

      Re: Thank $deity for proprietary software

      "At least it's secure unlike that open source crock."

      I see you obviously clicked the wrong icon, should have been the joke icon.

    6. Michael Wojcik Silver badge

      Re: Thank $deity for proprietary software

      Lions 27, Christians 1.

      Not bad, particularly for trolling on the Reg. I wouldn't put it on the CV but it's a good day's work.

      (Cue victims calling "Poe's Law!".)

  5. Sammy Smalls

    It's not a problem.

    We'll all be killed by Ebola soon so why bother patching?

    1. Destroy All Monsters Silver badge
      Trollface

      Re: It's not a problem.

      Can you give me a CVE number on that?

  6. foxyshadis

    Yet more reason to disable SSL 3

    It's almost impossible to not have TLS support in anything that supports SSL, and this is just one more of the dozens of existing vulnerabilities in SSL 3. Even TLS 1.0 is past its prime and needs to be replaced by 1.2 ASAP, so it's time to just turn SSL off for good.

    1. Michael Wojcik Silver badge

      Re: Yet more reason to disable SSL 3

      Yes. SSL 3 is broken for serious use - it's only useful if your threat model is "don't be the low-hanging fruit".1 That's a reasonable threat model for many cases, frankly - but there's almost never a reason to support clients that don't have TLS support, unless you must support IE 6. And even then IE 6 use should be restricted to only those legacy apps that can't run in anything else, and those apps should be scheduled for replacement.

      1The typical POODLE attack against SSL 3 using a block cipher, for HTTPS, requires about 256 attempts per byte of the data being extracted. If that's a session cookie (the obvious target), hijacking an SSL 3 HTTPS session with POODLE using malicious Javascript is quite feasible. See the POODLE paper for more information.

  7. Nick Lowe

    Should be moot. No need to offer SSL 3.0.

    This should be moot as there is no need to offer the SSL 3.0 protocol these days, the only clients that need it are themselves broken and should be corrected, IE 6.0 or misconfigured later versions of IE against the defaults. Offering TLS 1.0, 1.1 and 1.2 is best practice, potentially even just 1.0 and 1.2 as 1.1 is unused.

    1. Anonymous Bullard

      Re: Should be moot. No need to offer SSL 3.0.

      Yeh, it's 15 or 20 years old. Shouldn't really be using something that old when dealing with crypto, especially when it's already been replaced.

      No details on the flaw, but it was expected.

  8. Anonymous Coward
    Anonymous Coward

    Disabling is fine

    I disabled SSL3 on my websites ages ago (grepular.com and emailprivacytester.com). The only browser this causes problems with is IE6. Screw IE6.

    1. Anonymous Coward
      Anonymous Coward

      Re: Disabling is fine

      screw IE before it screws you

  9. Anonymous Coward
    Anonymous Coward

    mmm...

    An exploit for windows server 2008 and 2012 at the bottom of the page, how can that be? According to MS server 2012 is a complete re-write, bugs and all it seems. Do they ever learn?

    1. Anonymous Coward
      Anonymous Coward

      Re: mmm...

      Didn't they say the same thing about Windows 7, or am I getting senile?

      1. Mark Simon
        Joke

        Re: mmm...

        Which question do you want answered first … ?

        1. Anonymous Coward
          Anonymous Coward

          Re: Which question do you want answered first … ?

          I don't care! As long as we're talking about how crap microsoft is and ignoring the supposed SSL flaw!!!

          Ignore it and it'll go away!

    2. tom dial Silver badge

      Re: mmm...

      Complete rewrite? Rubbish. Nobody who ever wrote programs for a living believed that for a second.

      Microsoft might not be the nicest company to deal with, but they are not so stupid as to discard their own debugged code in favor of rewriting the functions from scratch.

  10. Anonymous Coward
    Anonymous Coward

    "...tech community already reeling..."

    Or

    For military applications, please see the Dashing White Sergeant..

    OR

    Is the tech community reeling because when the vulnerability was announced they all said "Oh, fox-trot."?

    OR

    For full cover, make sure you strip the Window(s)

    Strictly not IT, but it's that kind of day - a tweet this morning from RPi said "I'd tell you a joke about UDP but you may not get it" so blame them.

  11. Anonymous Coward
    Anonymous Coward

    What's the hold up?

    We're just waiting for the logo designer to complete his design, then the details of this bug can be released!

    1. Zog_but_not_the_first
      Trollface

      Re: What's the hold up?

      I heard that Apple have filed a patent application on it.

      1. Anonymous Coward
        Trollface

        Re: What's the hold up?

        "I heard that Apple have filed a patent application on it"

        Not until someone else has been using it for some time.

    2. Alan J. Wylie

      Re: What's the hold up?

      Can I suggest a name: "hassle"

    3. K
      Thumb Up

      Re: What's the hold up?

      Brilliant!! Brought a smile to my face on this dreary Tuesday afternoon :D

  12. Anonymous Coward
    Anonymous Coward

    No worm

    ". A dangerous worm has been discovered exploiting a zero-day flaw (CVE 2014-4114) in all versions of Microsoft Windows and Server 2008 and 2012."

    Erm, no. That vulnerability is in the OLE package manager and requires social engineering and user interaction to exploit so it is not possible to turn into a worm.

  13. Anonymous Bullard

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like