December 2014 Internet Explorer security updates & disabling SSL 3.0 fallback

Disabling SSL 3.0 fallbackWe previously published Security Advisory 3009008 advising that Microsoft will disable SSL 3.0 by default in Internet Explorer and across all Microsoft online services over the coming months. To continue to help protect customers, we are taking the interim step to provide the option to disable SSL 3.0 fallback in Internet Explorer 11 for Protected Mode sites, which is the default for Internet sites and Restricted sites. This change is currently off by default, and we plan to turn it on by default in Internet Explorer 11 on February 10, 2015.

What is SSL 3.0 fallback?

The POODLE SSL 3.0 vulnerability exposed a weakness not only in the SSL 3.0 protocol, but in the way that browsers negotiate an HTTPS connection with web servers. By interfering with the connection between the target client and server, a man-in-the-middle can force a downgrade from TLS 1.0 or newer, more secure protocols, to the SSL 3.0 protocol.

At a high level, commonly when a Web browser connects to an HTTPS Web site, it will first try to do so by using the highest-available encryption protocol. If this connection fails during the handshake, the browser will fall back and retry the connection with a lower encryption protocol, eventually falling to SSL 3.0. The vast majority of the time, a fallback from TLS 1.0 to SSL 3.0 is the result of an innocent error, but this is indistinguishable from a man-in-the-middle attack.

When will Internet Explorer block SSL 3.0 fallback?

The December 2014 Internet Explorer Cumulative Update (KB3008923), released today, allows users to opt-in and block SSL 3.0 fallback in Internet Explorer 11. Enterprise customers are able to configure this behavior via Group Policy, and this behavior will also be configurable via registry or using an easy, one-click Fix it solution. Details on how to configure this behavior can be found in KB3013210.

From February 10, 2015, Internet Explorer 11 will prevent insecure fallback to SSL 3.0 for Protected Mode sites.

How can I test if my server will be impacted?

Please review your web server settings and technical documentation, as many servers even if they support TLS 1.0, fallback to SSL 3.0. There are a number of third-party tests available that may help.

Disabling SSL 3.0 in your browser will allow you to see which sites do not support TLS and need to be updated. We encourage users to use the workarounds and easy, one-click Fix it provided in Security Advisory 3009008 to disable SSL 3.0 in your browser.

Security Updates

  • Microsoft Security Bulletin MS14-080 - This critical security update resolves fourteen privately reported vulnerabilities in Internet Explorer. For more information see the full bulletin.
  • Security Update for Flash Player (3008925) - This security update for Adobe Flash Player in Internet Explorer 10 and 11 on supported editions of Windows 8, Windows 8.1 and Windows Server 2012 and Windows Server 2012 R2 is also available. The details of the vulnerabilities are documented in Adobe security bulletin APSB14-27. This update addresses the vulnerabilities in Adobe Flash Player by updating the affected Adobe Flash binaries contained within Internet Explorer 10 and Internet Explorer 11. For more information, see the advisory.

Staying up-to-date

Most customers have automatic updating enabled and will not need to take any action because these updates will be downloaded and installed automatically. Customers who have automatic updating disabled need to check for updates and install this update manually.

— Alec Oot, Program Manager, Internet Explorer

Comments

  • Anonymous
    December 09, 2014
    So if I disable SSL3.0 from IE11 now or if I wait untill February 2015 to be disabled automatically is the same thing? Won't certain sites that aren't properly coded break if the handshake for TLS fails ?

  • Anonymous
    December 09, 2014
    Hi, where to get the GPO amdx file mentioned in support.microsoft.com/.../3013210 ?

  • Anonymous
    December 09, 2014
    fyr The inetres.admx arrives by installing the december patches

  • Anonymous
    December 10, 2014
    @Rares - There are 2 relevant settings:

  1. Enable/Disable SSL 3.0
  2. Allow/Block TLS to SSL 3.0 Fallback Starting in Feb, we will automatically disable SSL 3.0 fallback for Protected Mode sites in IE11. If you were to disable all of IE’s use of SSL 3.0, this would take precedence over the TLS to SSL 3.0 fallback changes (as there would be nothing to fall back to on your machine). Sites with broken TLS implementations will be affected. It's not possible to differentiate between an improper TLS implementation and an active man-in-the-middle attack.
  • Anonymous
    December 10, 2014
    The December 2014 Internet Explorer Cumulative Update (KB3008923) has broken our application that uses dialogArguments via window.showModalDialog. I'm guessing it was broken via the included KB3020809: support.microsoft.com/.../3020809 The issues is:

  • A browser window opens a modal dialog, passing an object via the varArgIn parameter (second parameter).

  • The window.dialogArguments property, in the resulting modal dialog, is the expected object, but...

  • This modal dialog opens another modal dialog, passing an object via the varArgIn parameter (second parameter).

  • The window.dialogArguments property in the second modal dialog is 'undefined'. Uninstalling KB3008923 reverts it back to the expected behavior.

  • Anonymous
    December 10, 2014
    Looks like this gentleman is having the same problem: answers.microsoft.com/.../b589426c-7134-4169-8e0c-5c00768ce50c

  • Anonymous
    December 10, 2014
    I made sample page about popup test.

  • ie11popup.herokuapp.com

  • tukiyo.github.io/.../index.html KB3008923 patched:

  • return=undefined KB3008923 not patched:

  • return=1

  • Anonymous
    December 10, 2014
    I have opened a case with Microsoft about this. My clients are having the same issue in several applications.  Hopefully they can release a hotfix or a corrected patch ASAP!

  • Anonymous
    December 10, 2014
    Yes, hopefully this can get corrected very soon...many others have also raised the issue: connect.microsoft.com/.../1051452 social.technet.microsoft.com/.../nested-modal-dialogs-in-javascript-always-return-null-value-after-update-kb3008923-cumulative

  • Anonymous
    December 10, 2014
    After Updating..  File Attaching in  OWA  was not working. so.  I released uninstall script to my company  

  • Anonymous
    December 11, 2014
    Consider killing SSL completely. Firefox has done already www.mozilla.org/.../releasenotes . Chrome plan to, more cautiously. groups.google.com/.../forum "SSLv3-fallback is only needed to support buggy HTTPS servers. The answer in these cases is to fix the server -- TLS 1.0 is nearly 15 years old at this point."

  • Anonymous
    December 14, 2014
    Steve Ravida, have you got any response for the opened support case?

  • Anonymous
    December 15, 2014
    Has anyone received a response from MS Support on whether an investigation is underway for KB3008923?

  • Anonymous
    December 15, 2014
    To be honest, we have gotten about as much information as is available online. It is classified as a bug in the KB3008923 update, and MS IE developers are working on a solution. They will not give us much in the way of time frame, and thus far, have been unable to convince the powers that be to remove the patch from general distribution. I wish I had better answers for the group, but I don't at this time.

  • Anonymous
    December 17, 2014
    There is now a published fix for this problem. support.microsoft.com/.../3025390

  • Anonymous
    December 17, 2014
    MS has released a bug fix for the issue: support.microsoft.com/.../3025390