Feeds

Oracle updates Java to stop SSL-chewing BEAST

Framework declared safe for Firefox

Combat fraud and increase customer satisfaction

Firefox developers said Tuesday that they have no plans to keep the browser from working with the Java software framework now that Oracle has released a patch that prevents it from being used to decrypt sensitive web traffic.

In a blog post published in late September and updated on Tuesday, Mozilla recommends that Firefox users update their Java plug-in to lower their chances of falling victim to attacks that silently decrypt data protected by the SSL, or secure sockets layer, protocol used by millions of websites. Firefox developers had said previously that they were seriously considering disabling the Java plug-in as a way of preventing the exploit.

Short for Browser Exploit Against SSL/TLS, BEAST was first demonstrated late last month at a security conference in Argentina, where researchers Juliano Rizzo and Thai Duong used the attack to recover an encrypted authentication cookie used to access a PayPal user account in less than two minutes. Oracle has more about the Java update here.

Their attack exploits a vulnerability in version 3.1 of SSL and version 1.0 of the SSL successor known as TLS, or Transport Layer Security. To make their code work, they needed a means to breach what's known as the same-origin policy, a mechanism built into browsers that prevents websites set by one domain from accessing or modifying data set by another site. Rizzo and Duong ultimately employed a Java applet that exploited a same-origin policy flaw in Oracle's software framework.

The possibility of real-world attacks that silently recovered authentication cookies, social security numbers, and other sensitive data encrypted by SSL was troubling enough to Firefox developers that they considered blocking Java plug-ins in the open-source browser. The move could have caused a variety of serious problems for users, because it would have prevented their browsers from working with virtual private networks, intranet tools, and web-conferencing applications such as Cisco Systems' WebEx.

“We will not be blocking vulnerable versions of Java at this time, though we will continue to monitor for incidents of this vulnerability being exploited in the wild,” Mozilla said in Tuesday's update.

But Java isn't the only way to bypass the same-origin policy, so it doesn't foreclose the possibility that Rizzo and Duong's exploit won't be carried out using other means.

“There will be other methods for doing this, so it doesn't fix the BEAST attack itself,” Nate Lawson, a cryptographer and principal of Root Labs, told The Register. “You need a TLS/SSL fix for that.”

Firefox developers, often working with developers of Google's Chrome browser, have experimented with other ways to stop BEAST attacks. Beta versions of Chrome, for instance, split messages into fragments to reduce an attacker's ability over the plaintext about to be encrypted.

As Lawson pointed out, a more effective fix would be for all websites and browsers to update to TLS 1.1 or SSL 3.2 or higher. Making the transition has proved extremely problematic because huge numbers of websites and browsers will fail to work as expected unless everyone upgrades all at once. ®

SANS - Survey on application security programs

Whitepapers

Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.