Posted on Google’s Online Security Blog, three Google researches have published a report detailing a nasty online security bug they’re calling POODLE (“Padding Oracle On Downgraded Legacy Encryption”). This POODLE attack targets a specific vulnerability in SSL 3.0 which, for the most part, hasn’t been used in over a decade. Even so, it’s still widely supported and is the reason Google is urging all system admins to discontinue support for the protocol.
Also known as Poodlebleed, the attack is similar to the Heartbleed exploit we saw causing a panic around the net earlier this year and allows for hackers to potentially intercept and replace data being sent/received during a “secure” HTTPS session. By publishing the exploit Google not only gives sysadmins a head start in patching everything up, but at the same time, provides all sorts nefarious characters around the net with everything the need to exploit the newly discovered vulnerability. For more info on POODLE, check out Google’s PDF here (download).
For instructions on preventing this SSLV3 fallback in Chrome and Firefox, check out the researcher’s blog post here.