Google Removes SSLv3 Fallback Support From Chrome

Google has released Chrome 39, fixing 42 security vulnerabilities and removing support for the fallback to SSLv3, the component that was the target of the POODLE attack revealed last month.

Google has released Chrome 39, fixing 42 security vulnerabilities and removing support for the fallback to SSLv3, the component that was the target of the POODLE attack revealed last month.

When the POODLE attack was disclosed by several Google researchers in October, the company said that it had added a change to Chrome that would disable SSLv3 fallback. The technique involves an attacker to force a server to fall back from a modern version of SSL/TLS to the older SSLv3 and then decrypt the protected traffic by sending a high volume of requests to the server. The company plans to disable support for SSLv3 altogether at some point in the near future.

A little further down the line, perhaps in about three months, we hope to disable SSLv3 completely. The changes that I’ve just landed in Chrome only disable fallback to SSLv3 – a server that correctly negotiates SSLv3 can still use it. Disabling SSLv3 completely will break even more than just disabling the fallback but SSLv3 is now completely broken with CBC-mode ciphers and the only other option is RC4, which is hardly that attractive. Any servers depending on SSLv3 are thus on notice that they need to address that now,” Adam Langley of Google wrote in October.

Among the fixes in Chrome 39 are a number of patches for high-risk vulnerabilities, including several buffer overflows, use-after-frees and integer overflows. Google paid out $25,000 in rewards to researchers who reported vulnerabilities fixed in the new release. In addition, the company paid out $16,500 in additional rewards to researchers who found bugs during the development cycle.

The full list of patches in Chrome 39:

[$500][389734] High CVE-2014-7899: Address bar spoofing. Credit to Eli Grey.

[$1500][406868] High CVE-2014-7900: Use-after-free in pdfium. Credit to Atte Kettunen from OUSPG.

[$1000][413375] High CVE-2014-7901: Integer overflow in pdfium. Credit to cloudfuzzer.

[$1000][414504] High CVE-2014-7902: Use-after-free in pdfium. Credit to cloudfuzzer.

[$3000][414525] High CVE-2014-7903: Buffer overflow in pdfium. Credit to cloudfuzzer.

[$2000][418161] High CVE-2014-7904: Buffer overflow in Skia. Credit to Atte Kettunen from OUSPG.

[$2000][421817] High CVE-2014-7905: Flaw allowing navigation to intents that do not have the BROWSABLE category. Credit to WangTao(neobyte) of Baidu X-Team.

[$500][423030] High CVE-2014-7906: Use-after-free in pepper plugins. Credit to Chen Zhang (demi6od) of the NSFOCUS Security Team.

[$7500][423703] High CVE-2014-0574: Double-free in Flash. Credit to biloulehibou.

[$5000][424453] High CVE-2014-7907: Use-after-free in blink. Credit to Chen Zhang (demi6od) of the NSFOCUS Security Team.

[$500][425980] High CVE-2014-7908: Integer overflow in media. Credit to Christoph Diehl.

[$500][391001] Medium CVE-2014-7909: Uninitialized memory read in Skia. Credit to miaubiz.

Suggested articles

Discussion

  • Larry Seltzer on

    That list of fixes is not a complete list. It's just the ones for which Google paid bounties or which they found interesting. Thanks for pointing out the SSLv3 part though, I may reblog
  • Stephanie on

    Help....I play a game called Pioneer Trail and am having endless problems posting and receiving gifts as I receive a message saying "Client and server don't support a common SSL protocol version or cipher suite. This is usually caused when the server needs SSLv3 support which has been removed" If I refresh I can receive and send gifts so what is this message I am receiving ? First time in 4 years this has happened !!! Any suggestions ? Thank you
    • MJ on

      I am getting the same message with Farmville and Farmville2. All help appreciated.
  • MJ on

    I am having the same problem with a ZYNGA game called Farmville and Farmville2. All help appreciated
  • DYAN on

    I am having the same problem but with my school!
  • Jeane on

    OK so SSLv3 has been removed so what are we suppose to do now?? Games on Facebook rely on that protocol to run!
    • Anonymous on

      OK so SSLv3 has been removed so what are we suppose to do now?? Games on Facebook rely on that protocol to run! - See more at: https://threatpost.com/google-removes-sslv3-I play FV2 and it wont work 98% of the time since chrome removed SSLv3
      • b. grateful on

        I am having the same problem currently while trying to play Farmville 2.. which I've been playing for over 3 years now.. I have done all the troubleshooting steps listed in the Zynga support pages.. but nothing is working to fix it.. I would like to continue to play the game.. but this client/ server issue with the sslv3 removal is non negotiable apparently? Does anyone who may be reading have an answer?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.