Microsoft released Security Advisory 3009008 to provide guidance related to a vulnerability in Secure Sockets Layer (SSL) 3.0 which could allow information disclosure. This is an industry-wide vulnerability that affects the protocol itself and is not specific to Microsoft’s implementation. Today we revised the Security Advisory to include an easy, one-click Fix it for customers to disable SSL 3.0 in all supported versions of Internet Explorer (IE). To help protect our customers further, we will be disabling fallback to SSL 3.0 in IE, and disabling SSL 3.0 by default in IE and across Microsoft online services, over the coming months. Starting on December 1, 2014, Azure and Office 365 will begin disabling support for SSL 3.0. This means that from December 1, 2014, all client/browser combinations will need to utilize TLS 1.0 or higher to connect to Azure and Office 365 services without issues. This may require certain client/browser combinations to be updated. Although analysis of connections to Microsoft online services shows very few customers still use SSL 3.0, we are providing customers with advance notice of this change so they can update their impacted clients prior to us disabling SSL 3.0. The following resources provide guidance for end users and administrators to ensure clients are utilizing TLS 1.0 or higher and to disable SSL 3.0 proactively.
- Individuals can use the Fix it, which is available for all supported versions of Internet Explorer, to disable SSL 3.0 in their browser and help ensure they are protected from this vulnerability.
- Customers who wish to proactively disable SSL 3.0 on Azure Websites, Roles, and Virtual machines can find guidance here.
- Clients of Azure web services may need to test their applications and ensure that they are not reliant on SSL 3.0. By default, all Azure services already support TLS 1.0 and higher.
- If you are an Office 365 customer, also visit the Office 365 blog for more information.