Around 24 hours since the POODLE bug hit the internet and the headlines, the severity of the flaw has made this the new most talked about flaw of the moment.
POODLE, short for “Padding Oracle On Downgraded Legacy Encryption”, affects the 15 year old SSL v3 protocol, which Gavin Millard, Tenable’s technical director for EMEA, said was common in browsers for backwards compatibility, but the reality is that it is difficult to exploit and requires some network access to systems that are vulnerable to the downgrade.
He said: “Whilst it’s true that if successfully used, a malicious attacker could expose private data leading to further exploitation, POODLE is far from the severity of recent bugs like Heartbleed or Shellshock.”
Stuart Morgan, senior security consultant at MWR InfoSecurity, called POODLE a “very clever cryptographic discovery”, but given the low usage of IE6 (3.8 per cent browser share globally, 0.2 per cent in the UK), he said that the likelihood of it being an issue for the vast number of users is minimal.
“However, since POODLE is a fundamental protocol flaw (meaning there is no way to patch SSLv3), System admins are treating it as an area of concern due to the fact that even the newest browsers can still fall back to SSL 3.0,” he said.
He recommended to enterprises who want to be extra-secure to completely disable SSL 3.0 support in browsers, meaning they would never fall back beyond TLS 1.0. He agreed with Millard that this should not be compared to flaws like Heartbleed, but the fact that they both relate to encryption is the only similarity.
He said: “Given the access that you need to be able to successfully launch the POODLE attack, it would not be the easiest realistic attack to perform anyway. There are plenty of other attacks to choose from; most are less elegant but are far more likely to result in compromise than this.”
Itsik Mantik, security researcher at Imperva, said that the conditions which are required for the attack to be applicable are hard to obtain as in particular, the attacker needs to become a man-in-the-middle between the attacked client and server, and to generate, block and modify client messages to the server and vice versa.
He said: “The most common approach for becoming man-in-the-middle is to convince the victim to connect to your wifi. The immediate implication for the average user is that when connected to an untrusted wifi, he should assume that his browsing may be insecure.
“In addition, the attack requires a bypass to the browser Same Origin Policy (SOP), which is not explained in the research. “
Tom Cross, director of security research at Lancope agreed that there will not be as much SSLv3 attack activity, but w
arned that man-in-the-middle attacks are most common on open wireless networks, such as at coffee shops or the airport.
Asked if it was bad timing that this was discovered so close behind Shellshock and almost seven months since Heartbleed, Millard said that he believed that this is a clear demonstration that researchers are working hard to uncover large bugs in code we use every day.
“We are also seeing huge media interest in vulnerabilities as they are being uncovered with far more bylines dedicated to security than we’ve seen previously,” he said. “Put simply, scrutiny from researchers with media interest means we’ll continue to hear about large vulnerability with increased frequency.”
Asked for the best advice for IT administrators on the best steps to take, Cross said: “IT administrators should remove support for SSLv3 from the servers they administrate. Its important to check all devices that use SSL, not just the corporate web server. Often, embedded devices get overlooked in the patch cycle.
“In the case of Heartbleed we’ve seen corporate VPN concentrators attacked months after the vulnerability was disclosed. Earlier this week Lancope infiltrated a ShellShock based botnet that had infected a large number of office phone systems. Unless administrators are careful, vulnerabilities like this can linger for a long time on these kinds of devices.”