Is Poodle's bark worse than its bite? Only time will tell if attackers will wreak havoc by exploiting the flaw in the widely supported SSL v3.0 cryptography protocol. But it looks like they will have plenty of opportunity to do their dirty work until users and operators turn off support for the protocol—as evidenced by findings released by Netskope Thursday, that 3,562 apps are vulnerable to Poodle.
“Netskope continuously monitors thousands of SaaS apps and our preliminary analysis has shown that more than 3,562 of them are still vulnerable due to their current support SSL V 3.0,” Ravi Balupari, director of engineering and cloud security research at the company, wrote in a blog post, though a recent update on the company's website showed that by press time the number had dropped to 3,329 cloud apps.
Karl Sigler, director, SpiderLabs Threat Intelligence, at Trustwave, told SCMagazine.com in email correspondence that “while potentially severe if a successful attack occurs” the threat is minimized, in part, because currently “there are no existing Proof of Concept or tools that exist to exploit POODLE.”
But Sigler warned, “This is bound to change in the days to come.”
And that makes it all the more important for operators and users to move quickly to blunt the impact of Poodle by nixing support for SSL v3.0.
In email correspondence with SCMagazine.com, Tod Beardsley, TK at Rapid7, expressed surprise at “how many decision makers of large, popular websites still are insisting on support for SSLv3.”
Added Sigler, “POODLE is sort of a sequel to the BEAST and CRIME attacks before it. What it really reminds us is that SSLv3 is antiquated.”
The Poodle threat may finally sound the death knell on SSLv3.0, experts said.
“Hopefully POODLE is the final nail in SSLv3's coffin so businesses can move on to TLS protocols,” said Sigler.
And Tod Beardsley, engineering manager at Rapid7, expressed a similar sentiment in email correspondence with SCMagazine.com. “I, along with most of the security community, hope that POODLE puts a bullet in SSLv3 once and for all,” he said.
Dropping the curtain on the popular protocol may not happen right away since “Many web servers still keep SSLv3 enabled to ensure compatibility with older browsers, in particular Internet Explorer 6,” said Chris Eng, vice president of security research at Veracode. But the industry is trying to move things in that direction.
Both Firefox and Chrome, for instance, have already announced plans to “completely remove SSLv3 in the near term, which will make users of those web browsers immune to this attack,” he added.
Still, with vulnerabilities like Poodle occurring on a regular basis, it may be time for the software industry to strengthen security by, Sigler suggested, prioritizing it as “a part of their Software Development Life Cycle. This would include regular code audits and making sure your programmers are educated in secure coding best practices.”
That would help ensure software is “secure before public release,” he said. “Companies should also have procedures in place to handle vulnerability reports to make them more agile during the patch development cycle.”
The responsibility doesn't just lie with the software industry, however. “Compounding the problem overall is the fact that even as software vendors get better at ‘baking in' security from the offset, organizations using technology tend to be change adverse,” said Sigler.
As a result, they may skip upgrades and “many admins that are responsible for IT services practice a ‘If it isn't broke, don't fix it' mentality,” he said.
“We also often see businesses struggle with not having enough manpower and skillsets in-house to uncover and deploy protections against these kinds of vulnerabilities and really dedicate the time needed for security,” he added.
On Wednesday, security firm Elastica posted a video demonstrating how attackers could leverage Poodle to decrypt SSL traffic.