It's been a long road. The issue with the industry-wide SSL 3.0 protocol vulnerability, nicknamed "Poodle," started back in October 2014 for Microsoft. The SSL protocol 3.0, as used in OpenSSL, is vulnerable to man-in-the-middle attackers to obtain cleartext data from users' communication streams.
Along the way, Microsoft has taken baby steps.
Just sift through the history of the security advisory to get a good understanding:
-
October 14, 2014 – The advisory first published.
-
October 15, 2014 – The advisory was revised to include a workaround for disabling the SSL 3.0 protocol in Windows.
-
October 29, 2014 – The advisory was revised to announce the deprecation of SSL 3.0, to clarify the workaround instructions for disabling SSL 3.0 on Windows servers and on Windows clients, and to announce the availability of a Microsoft Fix it solution for Internet Explorer.
-
December 9, 2014 – The advisory was revised to announce the availability of SSL 3.0 fallback warnings in Internet Explorer 11.
-
February 10, 2015 – The advisory was revised to announce that SSL 3.0 fallback attempts are disabled by default in Internet Explorer 11.
-
February 16, 2015 – The advisory was revised to announce a planned date for disabling SSL 3.0 by default in Internet Explorer 11.
-
April 14, 2015 – They advisory was revised to announce the release of security update 3038314 on April 14, 2015 that disables SSL 3.0 by default in Internet Explorer 11. Additionally instructions for reversing workarounds were added.
Microsoft provided a FixIt solution in late October. Today's update (3009008), which only works for Internet Explorer 11 customers, is a permanent solution. It replaces the FixIt solution and causes SSL 3.0 to be disabled by default for the web browser. For any other version of Internet Explorer, the workarounds are still required. The workarounds are all included in the original, but heavily edited, advisory: Microsoft Security Advisory 3009008
