First there was Heartbleed, then Shellshock, and now Poodle, yet another serious security vulnerability in yet another widely used piece of software that went unnoticed for years.
This time, the Poodle vulnerability — which stands for Padding Oracle On Downloaded Legacy Encryption — was found in a 15-year-old web encryption technology called SSL 3.0. SSL, which stands for Secure Sockets Layer, is the technology that encrypts a user’s browsing session, making it difficult for anyone using the public Wi-Fi at Starbucks, for instance, to eavesdrop. The Poodle bug makes it possible for hackers to hijack their victim’s browsing session and do things like take over their email, online banking, or social networking account.
Three researchers at Google, Bodo Möller, Thai Duong, Krzysztof Kotowicz, disclosed details of a Poodle attack in a report last month.
Rumors of the bug have leaked over the last few days, prompting the OpenSSL Project, which develops the most widely used type of SSL encryption software, to publish the report on Tuesday. The advisory prompted makers of web browsers, and server software, as well as some technology companies, to disable support for SSL 3.0.
Poodle marked the third major discovery of a bug in a widely used technology this year. In April, researchers uncovered Heartbleed, a bug that made it possible for attackers to steal data from a server, including the keys to decode any encrypted contents. Then, last month, researchers uncovered Shellshock,a more serious bug that made it possible for hackers to take control of millions of machines around the world, unnoticed.
Security researchers say that the Poodle bug is more innocuous than Heartbleed or Shellshock. For one, they note that SSL 3.0 has been largely superseded by a newer encryption protocol called Transport Layer Security, or TLS. Also, to pull off an a Poodle attack, security researchers say that the victim has to be actively online and physically close to the attacker — say, using the same public Wi-Fi.
“Poodle requires a specific physical location and an active connection before an attack is practical,” said Karl Sigler, the threat intelligence manager at the security company Trustwave.
On Tuesday, Microsoft advised users to disable SSL 3.0 on Windows for servers and PCs.
Bodo Möller, one of the three Google researchers who discovered the bug, suggested a workaround on Google’s blog to secure web servers, but added that Google would remove support for SSL 3.0 from future customer software.
Mozilla said it would disable SSL 3.0 in the next version of the Firefox browser, which it plans to release on Nov. 25, and suggested browsers and websites turn off the feature in the meantime. Other companies, like Twitter, said they had disabled support for SSL 3.0 and that some users may need to update their browsers to use the service.