ID: IRCNE2011101293
Date: 2011-10-20
According to “ComputerWorld”, Oracle has released a new Java security update to address multiple vulnerabilities, including one exploited during a recently disclosed attack that can allow eavesdropping on encrypted communications.
Last month at the Ekoparty security conference in Buenos Aires, two security researchers demonstrated a practical method of intercepting SSL and TLS traffic.
Their man-in-the-middle attack, dubbed the Browser Exploit Against SSL/TLS (BEAST), leverages a long-known theoretical issue which affects most of the SSL and TLS implementations currently used on the Internet.
To pull off the attack, the researchers bypassed the browser's same-origin policy, a core security mechanism that prevents different opened websites from interfering with one another, by exploiting a vulnerability in the Java plug-in.
Identified as CVE-2011-3389, that vulnerability nearly led to Firefox developers banning Java from the browser following BEAST's disclosure. However, an agreement regarding that possible course of action could not be reached because such a decision would have broken many applications, especially in corporate environments where Java is used extensively.
Other vulnerabilities addressed by the new Java update are considered much more critical, such as the five maximum-rated arbitrary code execution flaws in various components, along with several undisclosed ones. A separate SSL/TLS issue affecting the Java application sandbox and a DNS cache poisoning bug have also been fixed.
So far there have been no reports of BEAST attacks, except for the official demonstration at Ekoparty, but that might change in the future, so users are strongly advised to install the update as soon as possible. In fact, because it is one of the most frequently attacked browser plug-ins, updating Java should be considered a priority in general.
Related Links:
Browsers against the BEAST problem
Microsoft promises a Windows patch
- 3