Didn't find what you're looking for? Contact Support

On October 14, 2014, security researchers announced a flaw known as POODLE (CVE-2014-3566) which affects the SSL encryption used to secure websites. The protocol vulnerability could potentially allow an attacker to compromise secure traffic to your sites and hijack a user's session.

This affects you!

Microsoft servers, including those running SharePoint or TMG, allow SSL 3 connections and are vulnerable to this exploit.

Is this as bad as Heartbleed and Shellshock?

While neither of those bugs affect SharePoint or Microsoft servers, this is a much less severe problem. Heartbleed and Shellshock were remotely exploitable by anyone, anywhere. POODLE requires live access to a user's internet connection. So called man in middle attacks can be exploited in places such as a coffee shop or when using shared Wi-Fi.

What should you do?

We strongly recommend disabling SSL 3 (and SSL 2) on SharePoint, TMG, and any other system which creates SSL connections. This ensures visitors use the more secure Transport Layer Security (TLS) encryption protocol. 

Microsoft have provided steps to disable SSL 3 on Windows servers (requires reboot). Full information is available on configuring Microsoft's Secure Channel system. This exploit is a protocol vulnerability, not a bug, so we do not expect a patch from Microsoft disabling SSL 3 support.

If you would like help securing your SharePoint environment from this exploit get in touch

Visitors using (ancient!) browsers such as Internet Explorer 6, Firefox 1, Opera 5, Safari 4 will no longer be able to access your secure sites.

Test your secure sites using poodlescan.com. Qualys SSL Labs site (ssllabs.com/ssltest) also lets you check for SHA-1 support which is now being sunset.

Protect your users

You can also consider disabling Internet Explorer's ability to use SSL 3 via Active Directory Group Policy. This ensures only the TLS protocol is used and will break any websites which don't support the TLS protocol. Numerous infrastructure providers have begun blocking SSL 3 connections so any deficient sites are likely to be upgraded quickly. Google (patch pending) and Mozilla (Nov 25) have both announced they are imminently removing support for SSL 3.