Offering protection in stages; users can now set IE11 to disable SSL 3.0 fallback.
Microsoft yesterday added an optional anti-POODLE defense to Internet Explorer 11 (IE11), and promised that additional protection would be switched on by default in two months.
The
15-year-old flaw in SSL 3.0 -- an aged standard used to encrypt traffic between browsers and Web servers -- was disclosed two months ago by a team of Google security researchers. Criminals could exploit the vulnerability using "man-in-the-middle" attacks to make off with session cookies. Those stolen cookies would let the hackers impersonate their victims, automatically logging into sites to make online purchases, rifle through email or pilfer files from cloud storage services.
With Tuesday's update to IE11, the browser can now be set to kill what's called "SSL 3.0 fallback," a mechanism that forces the browser to switch to the buggy SSL 3.0 from more secure encryption protocols, such as TLS 1.2.
