November 19, 2014

The SSL 3.0 vulnerability referenced in the Security Advisory 3009008 , also known as “Poodle”, has received a significant amount of attention. While the discovered issue is specific to SSL 3.0, many customers are wondering whether this affects Microsoft’s offerings, specifically Microsoft Dynamics online services.

Microsoft Dynamics Online Services Status

Microsoft Dynamics has completed some of our services and is in the process of remediating the following online services for the SSL 3.0 vulnerability.

Service	SSL v3.0 Mitigation Status
Microsoft Dynamics CRM Online	7-Dec
Microsoft Dynamics Marketing	7-Dec
Microsoft Social Listening	Completed
Parature for Microsoft Dynamics	Completed
Microsoft Dynamics Lifecycle Services	7-Dec
Online Services for Microsoft Dynamics	7-Dec

Recommended Client Side Remediation

It is also highly recommended that you update your browser to disable SSL 3.0 and leverage TLS. Please follow the provided links for more information on how to mitigate within the following browsers

Internet Explorer: https://technet.microsoft.com/en-us/library/security/3009008.aspx
Firefox: https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
Chrome: http://dottech.org/166990/how-to-disable-ssl-3-0-support-in-chrome-tip/

Note In addition to securing your client side browsers, we also recommend that all customers who are using a mobile platform and may be vulnerable, follow the guidance from their mobile operating system provider.

Additional Information

The following resources provide guidance for customers and administrators to ensure clients are utilizing TLS 1.0 or higher and to disable SSL 3.0 proactively.

You, as an individual, can use the Fix it, which is available for all supported versions of IE, to disable SSL 3.0 in your browser and help ensure you are protected from this vulnerability.
For managed desktop environments, this TechNet article provides guidance on how to determine if your environment has users connecting via SSL 3.0. If any users are identified, Security Advisory 3009008 provides guidance on how to apply a group policy to update the settings.
If you are an Azure customer, also visit the Azure blog for more information.

We want to assure our customers that we take your data and systems’ security seriously and hope that you find this information helpful.

For general information about our approach to security, visit the Microsoft Dynamics CRM Trust Center.

Sincerely,

Microsoft Dynamics Service Engineering Team

We're always looking for feedback and would like to hear from you. Please head to the Dynamics 365 Community to start a discussion, ask questions, and tell us what you think!