Microsoft Security Advisory 3009008
Vulnerability in SSL 3.0 Could Allow Information Disclosure
Published: October 14, 2014 | Updated: April 14, 2015
Version: 3.0
General Information
Executive Summary
Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.
We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers.
Microsoft is announcing that with the release of security update 3038314 on April 14, 2015 SSL 3.0 is disabled by default in Internet Explorer 11. Microsoft is also announcing that SSL 3.0 will be disabled across Microsoft online services over the coming months. We recommend customers migrate clients and services to more secure security protocols, such as TLS 1.0, TLS 1.1 or TLS 1.2.
Mitigating Factors:
- The attacker must make several hundred HTTPS requests before the attack could be successful.
- TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.
Recommendation. Please see the Suggested Actions section of this advisory for workarounds to disable SSL 3.0. Microsoft recommends customers use these workarounds to test their clients and services for the usage of SSL 3.0 and start migrating accordingly.
Advisory Details
Issue References
For more information about this issue, see the following references:
References |
Identification |
---|---|
Knowledge Base Article | 3009008 |
CVE Reference | CVE-2014-3566 |
Operating System |
---|
Windows Server 2003 Service Pack 2 |
Windows Server 2003 x64 Edition Service Pack 2 |
Windows Server 2003 with SP2 for Itanium-based Systems |
Windows Vista Service Pack 2 |
Windows Vista x64 Edition Service Pack 2 |
Windows Server 2008 for 32-bit Systems Service Pack 2 |
Windows Server 2008 for x64-based Systems Service Pack 2 |
Windows Server 2008 for Itanium-based Systems Service Pack 2 |
Windows 7 for 32-bit Systems Service Pack 1 |
Windows 7 for x64-based Systems Service Pack 1 |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 |
Windows Server 2008 R2 for Itanium-based Systems Service Pack 1 |
Windows 8 for 32-bit Systems |
Windows 8 for x64-based Systems |
Windows 8.1 for 32-bit Systems |
Windows 8.1 for x64-based Systems |
Windows Server 2012 |
Windows Server 2012 R2 |
Windows RT |
Windows RT 8.1 |
Server Core installation option |
Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) |
Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) |
Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) |
Windows Server 2012 (Server Core installation) |
Windows Server 2012 R2 (Server Core installation) |
`HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server`
**Note** If the complete registry key path does not exist, you can create it by expanding the available keys and using the **New** -> **Key** option from the **Edit** menu.
3. On the **Edit** menu, click **AddValue**.
4. In the **DataType** list, click **DWORD**.
5. In the **ValueName** box, type **Enabled**, and then click **OK**.
**Note** If this value is present, double-click the value to edit its current value.
6. In the **Edit DWORD (32-bit) Value** dialog box, type **0** .
7. Click **OK**. Restart the computer.
**Note** This workaround will disable SSL 3.0 for all server software installed on a system, including IIS.
**Note** After applying this workaround, clients that rely only on SSL 3.0 will not be able to communicate with the server.
**How to undo the workaround**. Follow these steps to disable SSL 3.0 in Windows server software:
1. Open Registry Editor.
2. Locate and then click the following registry sub key:
`HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server`
3. On the Edit menu, click **Delete**.
4. Click **Yes** when prompted.
5. Exit Registry Editor.
6. Restart the system.
**For Client Software**
You can disable support for the SSL 3.0 protocol on Windows by following these steps:
1. Click **Start**, click **Run**, type **regedt32** or type **regedit**, and then click **OK**.
2. In Registry Editor, locate the following registry key:
`HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client`
**Note** If the complete registry key path does not exist, you can create it by expanding the available keys and using the **New** -> **Key** option from the **Edit** menu.
3. On the **Edit** menu, click **AddValue**.
4. In the **DataType** list, click **DWORD**.
5. In the **ValueName** box, type **Enabled**, and then click **OK**.
**Note** If this value is present, double-click the value to edit its current value.
6. In the **Edit DWORD (32-bit) Value** dialog box, type **0** .
7. Click **OK**. Restart the computer.
**Note** This workaround will disable SSL 3.0 for all client software installed on a system.
**Note** After applying this workaround, client applications on this machine will not be able to communicate with other servers that only support SSL 3.0.
**How to undo the workaround**. Follow these steps to disable SSL 3.0 in Windows client software:
1. Open Registry Editor.
2. Locate and then click the following registry sub key:
`HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client`
3. On the Edit menu, click **Delete**.
4. Click **Yes** when prompted.
5. Exit Registry Editor.
6. Restart the system.
Additional Suggested Actions
Protect your PC
We continue to encourage customers to follow our Protect Your Computer guidance of enabling a firewall, getting software updates and installing antivirus software. For more information, see Microsoft Safety & Security Center.
Keep Microsoft Software Updated
Users running Microsoft software should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit Microsoft Update, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have automatic updating enabled and configured to provide updates for Microsoft products, the updates are delivered to you when they are released, but you should verify that they are installed.
Acknowledgments
Microsoft thanks the following for working with us to help protect customers:
- Bodo Möller of the Google Security Team for working with us on this issue
Other Information
Microsoft Active Protections Program (MAPP)
To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please visit the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.
Feedback
- You can provide feedback by completing the Microsoft Help and Support form, Customer Service Contact Us.
Support
- Customers in the United States and Canada can receive technical support from Security Support. For more information, see Microsoft Help and Support.
- International customers can receive support from their local Microsoft subsidiaries. For more information, see International Support.
- Microsoft TechNet Security provides additional information about security in Microsoft products.
Disclaimer
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions
- V1.0 (October 14, 2014): Advisory published.
- V1.1 (October 15, 2014): Revised advisory to include a workaround for disabling the SSL 3.0 protocol in Windows.
- V2.0 (October 29, 2014): Revised advisory to announce the deprecation of SSL 3.0, to clarify the workaround instructions for disabling SSL 3.0 on Windows servers and on Windows clients, and to announce the availability of a Microsoft Fix it solution for Internet Explorer. For more information see Knowledge Base Article 3009008.
- V2.1 (December 9, 2014): Microsoft is announcing the availability of SSL 3.0 fallback warnings in Internet Explorer 11. For more information see Knowledge Base Article 3013210.
- V2.2 (February 10, 2015): Microsoft is announcing that SSL 3.0 fallback attempts are disabled by default in Internet Explorer 11. For more information see Microsoft Knowledge Base Article 3021952.
- V2.3 (February 16, 2015): Revised advisory to announce the planned date for disabling SSL 3.0 by default in Internet Explorer 11.
- V3.0 (April 14, 2015) Revised advisory to announce with the release of security update 3038314 on April 14, 2015 SSL 3.0 is disabled by default in Internet Explorer 11, and to add instructions for how to undo the workarounds.
Page generated 2015-04-07 14:32Z-07:00.