On Wednesday October 15th I blogged about the Lab having issued a Grid Status update warning, those who use the viewer’s built-in browser may not be able to access certain websites. The notice was issued by the Lab as a result of the Padding Oracle On Downgraded Legacy Encryption (Poodle) vulnerability reported by Google.
As noted in my original article, the Poodle vulnerability exploits a flaw in the design of the SSL 3.0 protocol, which despite being 18 years old, is used as a fallback security protocol within most browsers. By using a series of connection failures between a browser and website, an attacker can trigger what is called a “downgrade dance” where the browser eventually falls back to using the SSL 3.0 protocol to maintain communications. When this happens, the attacker can use the exploit within SSL 3.0 to grab sensitive data.
At the time the Grid Status update was issued, the Lab indicated they are working to fix the problem within the viewer’s browser capability. This has now been done, and release candidate version 126.96.36.1995539 of the viewer, referred to as the “Browser Fix” viewer, removes SSL 3.0 usage from the viewer’s internal browser, allowing it to connect to sites which have disabled SSL 3.0 support.
If you do use the official viewer and prefer accessing websites using the internal browser, you may want to download this RC. For those not using the official viewer and who have experienced issues accessing websites through the viewer’s internal web browser, try switching to using an external browser to open web links (set via Preferences), as per the advice on the original Grid Status update from the Lab.