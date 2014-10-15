(Adds comments from Mozilla, Google, Microsoft, security
expert)
By Jim Finkle
BOSTON Oct 14 Three Google Inc
researchers have uncovered a security bug in widely used web
encryption technology that they say could allow hackers to take
over accounts for email, banking and other services in what they
have dubbed a "Poodle" attack.
The discovery of "Poodle," which stands for Padding Oracle
On Downloaded Legacy Encryption, prompted makers of web browsers
and server software to advise users on Tuesday to disable use of
the source of the security bug: an 18-year old encryption
standard known as SSL 3.0.
It was the third time this year that researchers have
uncovered a vulnerability in widely used web technology,
following April's "Heartbleed" bug in OpenSSL and last month's
"Shellshock" bug in a piece of Unix software known as Bash.
Security experts said that hackers could steal browser
"cookies" in "Poodle" attacks, potentially taking control of
email, banking and social networking accounts. Even so, experts
said the threat was not as serious as the two prior bugs.
"If Shellshock and Heartbleed were Threat Level 10, then
Poodle is more like a 5 or a 6," said Tal Klein, vice president
with cloud security firm Adallom.
The threat was disclosed in a research paper published on
the website of the OpenSSL Project, which develops the most
widely used type of SSL encryption software.
Rumors of a bug in SSL software had been circulating in
recent days, prompting some security professionals to prepare
for a major new threat this week.
Ivan Ristic, director of application security research with
Qualys, said "Poodle" was not as serious as the previous threats
because the attack was "quite complicated," requiring hackers to
have privileged access to networks.
Jeff Moss, a cyber adviser to the U.S. Department of
Homeland Security, said attackers would need to launch a
"man-in-the-middle" attack, placing themselves between victims
and websites using approaches such as creating rogue WiFi
"hotspots" in Internet cafes.
Google suggested a technical workaround to secure web
servers, but added on its blog that it hopes to eventually
remove support for SSL 3.0 from all client software.
Mozilla plans to disable SSL 3.0 by default in the next
version of its Firefox browser, to be released on Nov. 25. (mzl.la/1DaxOwY).
"SSL version 3.0 is no longer secure," Mozilla said on its
blog. "Browsers and websites need to turn off SSLv3 and use more
modern security protocols as soon as possible."
Microsoft Corp issued an advisory suggesting that
customers disable SSL 3.0 on Windows for servers and PCs.
Representatives with Apple Inc could not be
reached. An Oracle Corp spokeswoman had no immediate
comment.
Matthew Green, an assistant research professor of computer
science at Johns Hopkins University said that disabling SSL 3.0
can be difficult for some computer users.
"It's not going to take out the infrastructure of the
Internet. But it's going to be a hassle to fix," Green said.
(Reporting by Jim Finkle. Additional reporting by Kanika Sikk;
Editing by G Crosse and Ken Wills)