Full Report
Firefox 34, the latest version of the Mozilla's popular web browser has disabled support for SSL 3.0 in reaction to the POODLE exploit, reported by We Live Security back in October.
Analysis Summary
# Vulnerability: Mitigation of SSL 3.0 (POODLE) and Eight Other Security Fixes in Firefox 34
## CVE Details
- CVE ID: N/A (Article focuses on a proactive feature change/fix rather than a specific disclosed CVE for SSL 3.0 removal, but addresses the POODLE vulnerability.)
- CVSS Score: N/A
- CWE: N/A (Addresses protocol-level vulnerability POODLE)
## Affected Systems
- Products: Mozilla Firefox web browser
- Versions: Versions prior to Firefox 34
- Configurations: Systems using SSL 3.0 for secure connections.
## Vulnerability Description
The primary focus is the disabling of the **SSL 3.0 protocol** in Firefox 34 to mitigate vulnerabilities associated with the **POODLE (Padding Oracle On Downgraded Legacy Encryption)** exploit. POODLE allows attackers to intercept plaintext data from secure connections.
Additionally, Firefox 34 addresses eight other security issues, three of which are classified as *critical*:
1. **Buffer Overflow:** Found during media parsing.
2. **Use-After-Free Vulnerability:** Triggered when parsing HTML created via `document.open()`.
3. **Memory Safety Bugs:** Several issues showing evidence of memory corruption under specific circumstances.
## Exploitation
- Status: POODLE attack was known and reported (exploited in the wild context for SSL 3.0 generally).
- Complexity: Low/Medium (depending on the specific bug fixed, but POODLE typically involves downgrade attacks).
- Attack Vector: Network, Local (depending on the specific flaw addressed).
## Impact
Since the article details multiple fixes, the impact varies:
| Flaw Addressed | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| POODLE (SSL 3.0) | High (Interception of plaintext) | N/A | N/A |
| Critical Flaws (Buffer Overflow, UAF, Memory Corruption) | Potential | Potential | Potential (Crash/Denial of Service) |
| OSX Log Bug | High (Exposure of private data) | N/A | N/A |
| Malicious Website Data Leak | High | N/A | N/A |
## Remediation
### Patches
- **Firefox 34:** This version incorporates the necessary changes, specifically dropping support for SSLv3 entirely.
### Workarounds
- For users unable to immediately update, disabling SSL 3.0 at a system/proxy level (if possible) would be the conceptual workaround, though the primary fix is application update. Mozilla explicitly pushed users toward TLS 1.1 and later.
## Detection
- **Indicators of Compromise (IOCs):** Not specified for the protocol change itself. For the internal bugs, successful exploitation would manifest as application crashes or evidence of memory corruption/reading sensitive data.
- **Detection Methods and Tools:** Not detailed in the summary, but standard vulnerability scanning tooling would report outdated protocol support (like SSL 3.0). Specific detection for the memory corruption bugs would require deep process monitoring.
## References
- Vendor Advisory: Mozilla security advisories (not explicitly linked, but implied by the release of Firefox 34).
- Relevant links:
- Information regarding the POODLE discovery: `welivesecurity.com/2014/10/15/poodle-attack-google-uncovers-major-flaw-ssl-3-0`
- Vendor confirmation/statement: `scmagazine.com/mozilla-addresses-poodle-by-disabling-ssl-30/article/386277`
- General coverage: `techweekeurope.co.uk/software/firefox-34-google-yahoo-156755`