POODLE, a bug that could affect 10 percent of all websites, is back
POODLE is coming back for more.
The bug, which was originally thought to affect only older versions of the Secure Sockets Layer (SSL) protocol used to encrypt information as it travels around the Internet, is now known to affect the Transport Layers Security (TSL) protocol, too.
Or put another way, without all the gobbledygook: a problem that allowed hackers to intercept and decrypt information forced website owners to update their security in October; the only problem is that the tool they're now using is susceptible to the same vulnerability.
POODLE could be exploited by forcing Web browsers to fall back to SSL 3.0 when they visited certain websites. The fix was relatively easy -- prevent a browser using SSL 3.0 from reaching a website. And many companies did just that.
Ars Technica reported on December 8 that this variation of the POODLE bug can affect 10 percent of websites, making it easier to exploit than the original. TLS' vulnerability to this bug was first revealed by one of the researchers who discovered the original POODLE.
A researcher at FireEye, a cyber security firm, has confirmed that some versions of TLS are vulnerable to attack. But it's not all bad news: he also writes in a blog post that the newest version of TLS shouldn't be affected by the bug, so up-to-date website owners should be safe.
The discovery of these POODLE variations shows that vulnerabilities can affect people long after they leave the news cycle. That was the case with Heartbleed, the bug that left much of the Internet vulnerable to attack, which still affected hundreds of thousands of servers months after it was discovered. It's also the case with Shell Shock, another vulnerability discovered earlier this year that is now being exploited by a worm targeting network control systems.
And now POODLE is back to remind companies to update their software to the newest available version as soon as they get the chance. It's not every day you meet a dog -- even one only being used as a nickname for the Padding Oracle On Downgraded Legacy Encryption bug -- that constantly reminds the world that it's just waiting to be put down once and for all.
[illustration by Brad Jonas for Pando]