OFFICIAL SECURITY BLOG

We’ve moved! You can now read the latest and greatest on Mac adware and malware at Malwarebytes.

Should you worry about POODLE bites?

Published October 15th, 2014 at 7:38 AM EDT , modified October 15th, 2014 at 7:38 AM EDT

Yesterday, Google revealed a vulnerability that one of their researchers found in SSL3, a technology used to secure many network connections, including those used by secure websites. This bug – which is being called “POODLE” – could allow for an attacker to gain access to encrypted transmissions sent between the browser and a secure site. The question many Mac users will be asking this morning is: how much should we worry?

vulnpoodleUnfortunately, it appears that the latest version of Safari – the browser used by the majority of Mac users – is vulnerable to the POODLE bug. This can be easily determined by visiting the Poodle Test site. If the site shows the image of a poodle, your browser is vulnerable.

When I tested with Safari 7.1 in Mac OS X 10.9.5, I got the poodle, indicating that this version of Safari is vulnerable to attack. I also tested the latest versions of Chrome (38.0.2125.104) and Firefox (33.0). Of these, Chrome was also vulnerable, while Firefox was not.

So, given that two of the “big three” browsers Mac users are likely to use are vulnerable, including the most commonly-used one, this must be pretty serious right? Well, yes and no. The most important thing to understand is that this vulnerability is only a danger in certain situations. In order to exploit this bug, an attacker must use a “man-in-the-middle” attack.

A man-in-the-middle attack is a situation in which the attacker occupies a privileged position between the machine being attacked and the server that machine is trying to communicate with. The most typical case would be one where an attacker sets up a malicious wifi network and, being in control of the network, is able to exploit the POODLE bug. Another possibility would involve an attacker being able to take over your home network somehow, such as through a wireless router that was improperly secured.

Thus, if you’re on a good network with properly-secured network hardware, you really have nothing to worry about. There is no man in the middle, thus there can be no attack. However, any time you venture out onto some other network – such as a public network at a coffee shop, restaurant, public library, hotel, airport, etc – you must exercise caution. The network you join could be a fake network set up to look like the real one, or it could be run by an untrustworthy person, and you could end up attacked.

I’ve always cautioned people against using secure sites on public wifi networks anyway. There has always been the possibility of a vulnerable site allowing an attacker to gain access to your “secure” connection, so avoiding use of secure sites on public wifi has always been a good idea. However, this is even more important now, given the POODLE vulnerability. Do not log in to any secure sites while on public wifi!

If you absolutely must use secure sites on unsecured public networks, at the moment, the safest browser to use for such purposes is Firefox, but make sure you have updated to the latest version. (I’m not sure how vulnerable older versions of Firefox might be.)

As far as your home or office network is concerned, make sure that your wireless router is not set to allow remote administration and is secured with a good password. Also make sure to update the router’s firmware, or consider installing an alternate third-party firmware, such as DD-WRT. If you aren’t sure how to do these things, contact the manufacturer of your router for assistance, or consider hiring a reputable local technician to help you.

Tags: , ,

19 Comments

  • Patrick says:

    What about using a VPN on a public wifi? Would POODLE have an affect on it? I don’t use public wifi’s much but I do have a VPN for when I do use them and I know companies like IBM and Lenovo use them for people working from home or on the road.

  • chr15 says:

    Firefox 33 now shows as vulnerable.

  • daire says:

    any add ons for safari do anything to counteract this?

    • Al Varnell says:

      Apple includes a fix for this in Yosemite and issued Security Updates for Mavericks, Mountain Lion and all three supported servers (4.0, 3.2.2, 2.2.5) today. Your browsers will probably still test as “Maybe Vulnerable” on the poodletest site, but apparently OS X won’t let them use SSLv3 even if they could. That will protect other apps that might use SSLv3 such as e-mail client apps.

  • Austin says:

    Tested my computer using Google Chrome version 38.0.2125.104, and it said I was not vulnerable to the poodle exploit. I did it twice and it said the same thing. Since Thomas found it was vulnerable, could my results have been false negatives? Any ideas anyone?

    • Al Varnell says:

      I get the same results now. Not sure whether this is due to the last update to Chrome or yesterday’s Apple Security Updates.

  • B. Bailey says:

    Thanks! Just downloaded the add-on to FF 33 and now am “not vulnerable” to Poodle.

  • Matt says:

    Just tested 10.10 Yosemite with Safari 8.0 and it’s also vulnerable. Latest updates are installed.

    • Al Varnell says:

      Yosemite includes code that disables the use of SSL by all applications, including Safari, Mail, App Store, other browsers, etc. So even though Safari 8.0 flunks the poodle test, it is prevented from using SSLv3 by OS X.

  • JF says:

    What about Safari in iOS 7.02 ( not ready for iOS 8)?

  • Barry Nelson says:

    The image of the poodle on poodletest.com is served by the server https://sslv3.dshield.org/, which only supports SSLv3 with block ciphers, so if Safari was really fixed, it should fail to display the image, but it doesn’t. If it can connect to that site then it is vulnerable, and it does connect to the site!

    • Thomas says:

      That server results in nothing but a blank page for me. You didn’t mention what version of Safari you’re using.

    • Al Varnell says:

      Same here, nothing but a blank page using Yosemite and Safari 8.0.

      According to SANS Institute, Newsbites #88 11/4/2014

      “Apple has not blocked SSL 3.0, but has disabled cipher block chaining, which underlies the POODLE flaw.”

      That means it won’t allow any browser or application that tries to use SSL 3.0 to successfully do so, including Mail and Messages.

  • Richard Kerry Holtzin says:

    As a Mac guy, I generally don’t worry about catching such ‘sneezes’ from the Internet. However, this time I did. My grumpy feelings aside (about the absolute lowest-life forms on the cyber network that do this stuff). . .I worked about 8 hours on my iMac trying to get the problem solved; was thoroughly frustrated (because I know very little about the machination of how computer systems worked). Then I stumbled across this gentlemen’s website, studied the problem from a whole other perspective, then applied the methodology. And it worked! For me, this is a great coup, simply because I am anything but tech-savvy. I am trying to get in touch with the owner of this software, mainly to thank him, personally, and to promise a donation upon my next Social Security check. I am on limited funds and only this month’s living expenses are covered. But I will make good on the promise. For those of you reading this, I hope you will do likewise: the man’s software product does indeed work and gets the job done. . .toute suite. Sincerely, Rich Holtzin, Albuquerque, NM (www.richholtzin.com)

  • Jim says:

    “the man’s software product does indeed work and gets the job done” Could you explain what ‘software’ you are talking about? And who ‘the man’ is?

    Thanks! 😉

This post is more than 90 days old and has been locked. No further comments are allowed.