The POODLE Attack is a vulnerability that takes advantage of web browser encryption. It gives attackers the access to the web traffic between a user’s browsers and a HTTP Secure website, which can cause serious repercussions such as decrypting sensitive user information like authentication cookies.
Though Microsoft has taken a number of steps to address this vulnerability, a detailed evaluation from Greyhound Research has found that Microsoft Office 365 continues to rate weak on SSL3.0 security vulnerability. Sanchit Vir Gogia, the CEO of Greyhound Research, who was evaluating cloud-based productivity suite options including both Microsoft Office 365 and Google Apps for Work, for one of his clients, ran a quick Poodle Attack Vulnerability check (on www.ssllabs.com), and found out that the vulnerabilities still affected Office 365.
“In October 2014, Microsoft issued an advice on a Secure Sockets Layer (SSL) 3.0 security flaw that was discovered in their Azure and Office 365 exchange servers. Microsoft stated that SSL 3.0 is an aged protocol and now replaced by Transport Layer Security (TLS) protocol, which is devoid of the POODLE flaw, as also validated by US-CERT. However, we ran the Qualys test for few mail servers, only to find that the vulnerability still affected Office 365,” says Sanchit.
As most small and medium enterprises rely on cloud-based offerings, this vulnerability can cause serious implications. “Many small and medium businesses often do not have proper security measures in place, hence make for easier prey. With players like Google (Apps for Work), Microsoft (Office 365) and IBM (Verse) increasingly catering to organizations with cloud-based productivity suite, this space is only expected to get more complex,” states Sanchit.