Symantec Mobile Management and Symantec Mobile Security products will rely on secure communication between servers and clients. The software will implement HTTPS protocol methods made available by the server. SSL v3 was discovered to be vulnerable to information disclosure, per www.cve.mitre.org/cgi-bin/cvename.cgi. If affected Microsoft Windows servers are not patched to prevent use of the SSL v3 protocol, Symantec Mobile Management and Symantec Mobile Security products may attempt to use the vulnerable SSL v3 protocol for communication.
Symantec recommends that all customers keep their server software updated per the manufacturers patching and release availability. In this specific case, Microsoft has provided a workaround and "fix-it" patch for the Windows operating system and the Internet Explorer browser. Details about this fix can be found here: technet.microsoft.com/en-us/library/security/3009008.aspx Using these workarounds should prevent Symantec Mobile Management and Symantec Mobile Security from negotiating secure communication using the vulnerable SSL v3 protocol.
Symantec also recommends continued update of all mobile devices, per their operating system manufacturers recommendation, to help prevent this, and other potential vulnerabilities.
Please also note, some older device types may not be able to negotiate an HTTPS protocol higher than SSL v3. Please see article: www.symantec.com/docs/TECH226034
For details regarding SSL v3 and the Symantec Management Platform (ITMS), please refer to their respective technical support pages.
Microsoft Windows server
Symantec Mobile Management
Symantec Mobile Security
Imported Document ID: TECH227813
Subscribing will provide email updates when this Article is updated. Login is required.