[Important]: PLEASE cope with the critical vulnerability regarding secure connection “SSL” (POODLE SSLv3)!

Kimiya Kitani

10 years ago

Dear all,

Last month, the critical vulnerability regarding the secure connection (SSL) was discovered.
Especially, there is possibility of leaking the private information, a credit card, addresses, password and so on when you access a web browser to secure web sites, such as an online shopping, an online bank, or a local page with password.

Countermeasure of not only servers but also PCs are needed!!

Have my browser this vulnerability?

This is good question!

Please access to https://www.poodletest.com.

If “Vulnerable” message is displayed, the browser has probably the vulnerability.
Please cope with the following operation.

How to cope with the vulnerability (for Web browser)

Internet Explorer

Update/Check Internet Explore to the latest version.
Download “Microsoft fix it 51024” tool from https://support.microsoft.com/kb/3009008/#FixItForMe and install it.
Restart Internet Explorer.
Access to https://www.poodletest.com and Check that “Not Vulnerable” message is displayed

If “Vulnerable” message continue to be displayed, please restart Windows OS (PC).

Mozilla Firefox

Update/Check Firefox to the latest version.
Open Firefox and Install “SSL Version Control” add-on from https://addons.mozilla.org/ja/firefox/addon/ssl-version-control/.
Restart Firefox.
Access to https://www.poodletest.com and Check that “Not Vulnerable” message is displayed

If “Vulnerable” message continue to be displayed, please restart Windows OS (PC).

Google Chrome

Test tool (https://www.poodletest.com) displays “Vulnerable”, but there is no problem if you use the latest version.
Because the special avoidance measure (*1) is used by Google.

*1 This POODLE bites: exploiting the SSL 3.0 fallback (Google Online Security Blog)

The vulnerability was discovered by Google, so this avoidance measure is highly credible.

Update/Check Chrome to the latest version.

If the update of Chrome is failure, please download/install it from https://support.google.com/chrome/answer/95346?hl=en

Safari

Windows Users

Now, it seems that Aple has dropped support for Safari on Windows because Safari on Windows hasn’t updated and don’t support to Security Update 2014-005 vulnerability. Therefore, if you use Safari on Windows, please change the browser.

Macintosh Users

Please install/check the security patch “Security Update 2014-005“.

Select “Software Update” in the Apple menu (upper left).
* In case of MacOS Yosemite (10.10), Select “About Mac” and Click “Software Update” button.
Check Security Update 2014-005 in the update list (Update tab)

If Security Update 2014-005 is not in the update list, please install “Security Update 2014-005“.

*Unfortunately, even if the security patch is applied, the test tool (https://www.poodletest.com) displays “Vulnerable”.
User cannot know the patch credibility.

*This patch has been provided to MacOS 10.8/10.9/10.10 only. If you use MacOS 10.6 or 10.7, please upgrade to MacOS Yosemite (10.10). In case of using MacOS 10.6 or above version, you can upgrade to latest OS without any cost.

For the Center’s Staffs

*Keep in mind that MacOS 10.6 or above version are required for connecting the Center’s network because it is necessary to install the Center’s security software to the Macintosh.

Opera

Update/Check Opera to the latest version.
Turn off “SSL” check box in Security Protocol (Settings –> Advanced –> Security)

14th Nobember, 2014 Chief of Information Processing Office: Kitani.