Possible SSL 3.0 Bug Patch on the Way

Possible SSL 3.0 Bug Patch on the Way

As soon as you're finished patching the zero-day flaw in Microsoft's operating systems today, you'll want to refocus your attention to a potentially nasty SSL 3.0 bug that has surfaced.

According to sources, the bug was acknowledged only recently and the identifiers were asked to keep mum about it until a patch is ready. That patch is reportedly due today sometime.

There's not much known about the flaw, other than it exists, and that a patch is coming. There's very little else available, including which platforms are impacted.

Cybersecurity expert Philip Lieberman, President of Lieberman Software, has this to say on the matter:

"Governments have a vast inventory of zero day attacks available to them on multiple platforms (commercial and open source) for the advancement of their sovereign objectives.  These vulnerabilities are the latest set of attack vectors to be shut down, but there are plenty more in inventory.

The most effective methods for securing yourself from these types of attacks are the use of air-gap networks (machines not connected to the Internet) and the use of disconnected media containing sensitive data.  Assume that others are within your systems and institute multi-factor authentication and adaptive privilege management to assure that your machine is not a jumping off point for an organization wide attack. 

Failure to use sufficiently powerful and automated privilege management software and technologies makes these zero day attacks very effective for persistent access even after the vulnerabilities have been patched.  Those companies that attempt to manage passwords, keys and certificates by hand will be victimized after these vulnerabilities have been patched."

And, he's right. The modern world is wrought with security missteps and the potential for disaster. Preparation is the key. There are some organizations that will hear about today's vulnerabilities and feel pretty comfortable that they are prepared for mitigation should a patch not be available or that it might actually cause more problems than it solves, which we've seen much of lately. But, sadly, the majority of organizations have not evolved beyond a simple patching strategy.

Interestingly enough, I'm working on a webinar on this exact topic. Patching is not enough anymore. It's still a very important step in securing the environment, but it's only a small piece in overall security. The webinar happens on October 29th at 2pm ET if you're up for the conversation:

Why Your "Successful" Patching Policies are Your Biggest Security Threat

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.