Security Alert: Vulnerability Affecting Browsers ("POODLE")
WHOM DOES THIS AFFECT?
- Anyone browsing the web, especially in public hotspots
- Systems running Windows XP and/or Internet Explorer 6 or lower
SUMMARY:
A vulnerability has been announced for most web browsers that could enable the disclosure of private information during a "secure" web session (https), such as a shopping, banking, enrollment or mail viewing session, where you'd normally expect secure, encrypted traffic.
Google discovered the vulnerability and labeled it POODLE, which stands for "Padding Oracle On Downgraded Legacy Encryption."
TECHNICAL DETAILS:
The vulnerability is for an encryption cipher that exploits SSL 3.0 and affects browsers such as Chrome, Firefox, Internet Explorer, Safari, and Opera. SSL 3.0 (Secure Sockets Layer version 3.0) is an older protocol published in 1996 used by Internet browsers and Web servers to transmit sensitive information.CMU has disabled SSL 3.0 on the Web Login page. If you are unable to authenticate with your Andrew userID, contact the Help Center.
WHAT YOU NEED TO DO:
- Upgrade your web browser to a current version and apply patches/updates that may appear over the next few days addressing the vulnerability.
- If you are still running Windows XP, we strongly recommend that you upgrade to Windows 7 since the Windows XP Platform is no longer patched.
MORE INFORMATION:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-3566
CONTACT:
Please direct any questions or comments to the Computing Services Help Center (412-268-HELP or it-help@cmu.edu) or to your departmental administrator or DSP consultant.