Wednesday, October 19, 2011

Oracle releases BEAST-patched version of Java

System Admins have another patch to roll out.  This one is IMHO not critical high-priority for internal computers which do little on the Internet, but it should be rolled out to your heavier Internet-using computers, especially roaming laptops as they would probably be more susceptible to the MITM attacks that BEAST requires.

Oracle updates Java to stop SSL-chewing BEAST • The Register
Firefox developers said Tuesday that they have no plans to keep the browser from working with the Java software framework now that Oracle has released a patch that prevents it from being used to decrypt sensitive web traffic.

In a blog post published in late September and updated on Tuesday, Mozilla recommends that Firefox users update their Java plug-in to lower their chances of falling victim to attacks that silently decrypt data protected by the SSL, or secure sockets layer, protocol used by millions of websites. Firefox developers had said previously that they were seriously considering disabling the Java plug-in as a way of preventing the exploit.

Short for Browser Exploit Against SSL/TLS, BEAST was first demonstrated late last month at a security conference in Argentina, where researchers Juliano Rizzo and Thai Duong used the attack to recover an encrypted authentication cookie used to access a PayPal user account in less than two minutes. Oracle has more about the Java update here.

Oracle's bulletin is here:
Oracle Java Critical Patch Update - October 2011
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 20 new security fixes across Java SE, of which 6 are applicable to JRockit.

Download Java from here: Java SE Downloads. You probably want Java JRE 6u29 as JRE 7u1 is primarily for developers.

No comments: