Three Google researchers have uncovered a security bug in widely used web encryption technology that they say could allow hackers to take over accounts for email, banking and other services in what they have dubbed a 'Poodle' attack.
It was the third time this year that researchers have uncovered a vulnerability in widely used web technology, following April's 'Heartbleed' bug in OpenSSL and last month's 'Shellshock' bug in a piece of Unix software known as Bash.
"If Shellshock and Heartbleed were Threat Level 10, then Poodle is more like a 5 or a 6," said Tal Klein, vice president with cloud security firm Adallom.
Rumors of a bug in SSL software had been circulating in recent days, prompting some security professionals to prepare for a major new threat this week.
Google suggested a technical work around to secure web servers, but added on its blog that it hopes to eventually remove support for SSL 3.0 from all client software.
Mozilla plans to disable SSL 3.0 by default in the next version of its Firefox browser, to be released on November 25.
"SSL version 3.0 is no longer secure," Mozilla said on its blog. "Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible."
Microsoft issued an advisory suggesting that customers disable SSL 3.0 on Windows for servers and PCs.
Representatives with Apple could not be reached. An Oracle spokeswoman had no immediate comment.
Matthew Green, an assistant research professor of computer science at Johns Hopkins University said that disabling SSL 3.0 can be difficult for some computer users.
"It's not going to take out the infrastructure of the internet. But it's going to be a hassle to fix," Green said.
0 comments:
Post a Comment