Microsoft Security Advisory 3009008

 10/11/2017 •  12 minutes to read • Contributors

In this article
Vulnerability in SSL 3.0 Could Allow Information Disclosure
General Information
Advisory Details
Affected Software
Advisory FAQ
Suggested Actions
Acknowledgments
Other Information

Vulnerability in SSL 3.0 Could Allow Information

Disclosure
Published: October 14, 2014 | Updated: April 14, 2015

Version: 3.0

General Information

Executive Summary

Microsoft is aware of detailed information that has been published describing a new method to
exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0
protocol itself and is not specific to the Windows operating system. All supported versions of
Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is
not aware of attacks that try to use the reported vulnerability at this time. Considering the attack
scenario, this vulnerability is not considered high risk to customers.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to
provide information that they can use to provide broader protections to customers.

Microsoft is announcing that with the release of security update 3038314 on April 14, 2015 SSL
3.0 is disabled by default in Internet Explorer 11. Microsoft is also announcing that SSL 3.0 will be
disabled across Microsoft online services over the coming months. We recommend customers
migrate clients and services to more secure security protocols, such as TLS 1.0, TLS 1.1 or TLS 1.2.

Mitigating Factors:

The attacker must make several hundred HTTPS requests before the attack could be
successful.
TLS 1.0, TLS 1.1, TLS 1.2, and all cipher suites that do not use CBC mode are not affected.

Recommendation. Please see the Suggested Actions section of this advisory for workarounds
to disable SSL 3.0. Microsoft recommends customers use these workarounds to test their clients
and services for the usage of SSL 3.0 and start migrating accordingly.

Advisory Details

Issue References

For more information about this issue, see the following references:
<<<<<<< HEAD ======= >>>>>>> Task 1079262 - QA done

References Identification References Identification

Knowledge Base Article 3009008

CVE Reference CVE-2014-3566

Affected Software
This advisory discusses the following software.

Affected Software

<<<<<<< HEAD
=======

Operating System
>>>>>>> Task 1079262 - QA done

Operating System

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems Service Pack 1

Windows 7 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for x64-based Systems Service Pack 1

Windows Server 2008 R2 for Itanium-based Systems Service Pack 1

Windows 8 for 32-bit Systems

Windows 8 for x64-based Systems

Windows 8.1 for 32-bit Systems

 Windows 8.1 for x64-based Systems

Windows Server 2012

Windows Server 2012 R2

Windows RT

Windows RT 8.1

Server Core installation option

Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)

Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)

Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

Windows Server 2012 (Server Core installation)

Windows Server 2012 R2 (Server Core installation)

Advisory FAQ
<<<<<<< HEAD **I am using a version of Internet Explorer other than 11. How can I protect my
system from this vulnerability?

**SSL 3.0 has only been disabled in

Internet Explorer 11 on all supported
editions of Microsoft Windows. If you are
using a different version of Internet
Explorer, please see the Suggested
Workarounds section for workarounds
that you can apply to your system to
protect it from this vulnerability.
I am using a version of Internet Explorer other than 11. How can I protect my system from
this vulnerability?
SSL 3.0 has only been disabled in Internet Explorer 11 on all supported editions of Microsoft
Windows. If you are using a different version of Internet Explorer, please see the Suggested
Workarounds section for workarounds that you can apply to your system to protect it from this
vulnerability.

Task 1079262 - QA done

What is the scope of the advisory?

The purpose of this advisory is to notify customers that Microsoft is aware of detailed
information describing a new method to exploit a vulnerability affecting SSL 3.0. This
vulnerability is an information disclosure vulnerability.

How could an attacker exploit the vulnerability?

In a man-in-the-middle (MiTM) attack, an attacker could downgrade an encrypted TLS session
forcing clients to use SSL 3.0 and then force the browser to execute malicious code. This code
sends several requests to a target HTTPS website, where cookies are sent automatically if a
previous authenticated session exists. This is a required condition in order to exploit this
vulnerability. The attacker could then intercept this HTTPS traffic, and by exploiting a weakness
in the CBC block cipher in SSL 3.0, could decrypt portions of the encrypted traffic (e.g.
authentication cookies).

What might an attacker use this vulnerability to do?

An attacker who successfully exploited this vulnerability could decrypt portions of the encrypted
traffic.

What causes the vulnerability?

The vulnerability is caused by the lack of CBC block cipher padding verification in SSL 3.0.

What is SSL?
Secure Sockets Layer (SSL) is a cryptographic protocol that provides communication security
over the Internet. SSL encrypts the data transported over the network, using cryptography for
privacy and a keyed message authentication code for message reliability.

What is TLS?
Transport Layer Security (TLS) is a standard protocol that is used to provide secure web
communications on the Internet or on intranets. It enables clients to authenticate servers or,
optionally, servers to authenticate clients. It also provides a secure channel by encrypting
communications. TLS is the latest version of the Secure Sockets Layer (SSL) protocol.

Is TLS affected by this issue?

No. This issue is specific to SSL 3.0.

Is this an industry-wide issue?

Yes. The vulnerability resides in the design of the SSL 3.0 protocol and is not limited to
Microsoft’s implementation.

Suggested Actions

Apply Workarounds

Workarounds refer to a setting or configuration change that does not correct the underlying
issue but would help block known attack vectors before a security update is available.

Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 in Internet Explorer

You can disable the SSL 3.0 protocol in Internet Explorer by modifying the Advanced
Security settings in Internet Explorer.

To change the default protocol version to be used for HTTPS requests, perform the
following steps:

1. On the Internet Explorer Tools menu, click InternetOptions.

2. In the InternetOptions dialog box, click the Advanced tab.
3. In the Security category, uncheck UseSSL3.0 and check Use TLS 1.0, Use TLS 1.1,
and Use TLS 1.2 (if available).
4. Note It is important to check consecutive versions. Not selecting consecutive
versions (e.g. checking TLS 1.0 and 1.2, but not checking 1.1) could result in
connection errors.
5. Click OK.
6. Exit and restart Internet Explorer.
 Copy

**Note** After applying this workaround, Internet Explorer will fail to connect to Web se

| Note: |
|-----------------------------------------------------------------------------------------
| See [Microsoft Knowledge Base Article 3009008](https://support.microsoft.com/kb/3009008)

**How to undo the workaround**. Follow these steps to enable SSL 3.0 in Internet Explorer.

1. On the Internet Explorer **Tools** menu, click **InternetOptions**.

2. In the **InternetOptions** dialog box, click the **Advanced** tab.
3. In the **Security** category, check **UseSSL3.0**.
4. Click **OK**.
5. Exit and restart Internet Explorer.

Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in
Group Policy

You can disable support for the SSL 3.0 protocol in Internet Explorer via Group Policy by
modifying the Turn Off Encryption Support Group Policy Object.

1. Open Group Policy Management.

2. Select the group policy object to modify, right click and select Edit.

3. In the Group Policy Management Editor, browse to the following setting:

Computer Configuration -> Administrative Templates -> Windows
Components -> Internet Explorer -> Internet Control Panel -> Advanced Page
-> Turn off encryption support

4. Double-click the Turn off Encryption Support setting to edit the setting.
5. Click Enabled.
6. In the Options window, change the Secure Protocol combinations setting to "Use
TLS 1.0, TLS 1.1, and TLS 1.2".
7. Note It is important to check consecutive versions. Not selecting consecutive
versions (e.g. checking TLS 1.0 and 1.2, but not checking 1.1) could result in
connection errors.
8. Click OK.

Copy

**Note** Administrators should make sure this group policy is applied appropriately by lin

**Note** After applying this workaround, Internet Explorer will fail to connect to Web ser
**How to undo the workaround**. Follow these steps to disable the SSL 3.0 policy setting:

1. Open Group Policy Management.

2. Select the group policy object to modify, right click and select **Edit.**
3. In the Group Policy Management Editor, browse to the following setting:
Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; I

4. Double-click the **Turn off Encryption Support** setting to edit the setting.
5. Click **Disabled.**
6. Click **OK.**

Disable SSL 3.0 in Windows

For Server Software

You can disable support for the SSL 3.0 protocol on Windows by following these steps:

1. Click Start, click Run, type regedt32 or type regedit, and then click OK.
2. In Registry Editor, locate the following registry key:

Copy

`HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

**Note** If the complete registry key path does not exist, you can create it by expanding

3. On the **Edit** menu, click **AddValue**.

4. In the **DataType** list, click **DWORD**.
5. In the **ValueName** box, type **Enabled**, and then click **OK**.

**Note** If this value is present, double-click the value to edit its current value.

6. In the **Edit DWORD (32-bit) Value** dialog box, type **0** .

7. Click **OK**. Restart the computer.

**Note** This workaround will disable SSL 3.0 for all server software installed on a syste

**Note** After applying this workaround, clients that rely only on SSL 3.0 will not be abl

**How to undo the workaround**. Follow these steps to disable SSL 3.0 in Windows server so

1. Open Registry Editor.

2. Locate and then click the following registry sub key:
`HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

3. On the Edit menu, click **Delete**.

4. Click **Yes** when prompted.
5. Exit Registry Editor.
6. Restart the system.

**For Client Software**

You can disable support for the SSL 3.0 protocol on Windows by following these steps:

1. Click **Start**, click **Run**, type **regedt32** or type **regedit**, and then click
2. In Registry Editor, locate the following registry key:

`HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

**Note** If the complete registry key path does not exist, you can create it by expanding

3. On the **Edit** menu, click **AddValue**.

4. In the **DataType** list, click **DWORD**.
5. In the **ValueName** box, type **Enabled**, and then click **OK**.

**Note** If this value is present, double-click the value to edit its current value.

6. In the **Edit DWORD (32-bit) Value** dialog box, type **0** .

7. Click **OK**. Restart the computer.

**Note** This workaround will disable SSL 3.0 for all client software installed on a syste

**Note** After applying this workaround, client applications on this machine will not be a

**How to undo the workaround**. Follow these steps to disable SSL 3.0 in Windows client so

1. Open Registry Editor.

2. Locate and then click the following registry sub key:

`HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

3. On the Edit menu, click **Delete**.

4. Click **Yes** when prompted.
5. Exit Registry Editor.
6. Restart the system.
Additional Suggested Actions

Protect your PC

We continue to encourage customers to follow our Protect Your Computer guidance of

enabling a firewall, getting software updates and installing antivirus software. For more
information, see Microsoft Safety & Security Center.

Keep Microsoft Software Updated

Users running Microsoft software should apply the latest Microsoft security updates to
help make sure that their computers are as protected as possible. If you are not sure
whether your software is up to date, visit Microsoft Update, scan your computer for
available updates, and install any high-priority updates that are offered to you. If you
have automatic updating enabled and configured to provide updates for Microsoft
products, the updates are delivered to you when they are released, but you should
verify that they are installed.

Acknowledgments
Microsoft thanks the following for working with us to help protect customers:

Bodo Möller of the Google Security Team for working with us on this issue

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to

major security software providers in advance of each monthly security update release. Security
software providers can then use this vulnerability information to provide updated protections to
customers via their security software or devices, such as antivirus, network-based intrusion
detection systems, or host-based intrusion prevention systems. To determine whether active
protections are available from security software providers, please visit the active protections
websites provided by program partners, listed in Microsoft Active Protections Program (MAPP)
Partners.

Feedback
 You can provide feedback by completing the Microsoft Help and Support form, Customer
Service Contact Us.

Support

Customers in the United States and Canada can receive technical support from Security
Support. For more information, see Microsoft Help and Support.
International customers can receive support from their local Microsoft subsidiaries. For
more information, see International Support.
Microsoft TechNet Security provides additional information about security in Microsoft
products.

Disclaimer

The information provided in this advisory is provided "as is" without warranty of any kind.
Microsoft disclaims all warranties, either express or implied, including the warranties of
merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or
its suppliers be liable for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if Microsoft Corporation or its
suppliers have been advised of the possibility of such damages. Some states do not allow the
exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply.

Revisions

V1.0 (October 14, 2014): Advisory published.

V1.1 (October 15, 2014): Revised advisory to include a workaround for disabling the SSL 3.0
protocol in Windows.
V2.0 (October 29, 2014): Revised advisory to announce the deprecation of SSL 3.0, to clarify
the workaround instructions for disabling SSL 3.0 on Windows servers and on Windows
clients, and to announce the availability of a Microsoft Fix it solution for Internet Explorer.
For more information see Knowledge Base Article 3009008.
V2.1 (December 9, 2014): Microsoft is announcing the availability of SSL 3.0 fallback
warnings in Internet Explorer 11. For more information see Knowledge Base Article
3013210.
V2.2 (February 10, 2015): Microsoft is announcing that SSL 3.0 fallback attempts are
disabled by default in Internet Explorer 11. For more information see Microsoft Knowledge
Base Article 3021952.
 V2.3 (February 16, 2015): Revised advisory to announce the planned date for disabling SSL
3.0 by default in Internet Explorer 11.
V3.0 (April 14, 2015) Revised advisory to announce with the release of security update
3038314 on April 14, 2015 SSL 3.0 is disabled by default in Internet Explorer 11, and to add
instructions for how to undo the workarounds.

Page generated 2015-04-07 14:32Z-07:00.