Oracle Java SE Critical Patch Update Advisory - October 2011
http://www.oracle.com/technetwork/topics/security/javacpuoct2011-443431.html
Oracle released JRE 6 Update 29 and Java 7 Update 1 today. Along with fixing six very serious vulnerabilities (CVSS 10.0), these updates include a fix for CVE-2011-3389 as well.
Beyond the fact that some of those CVSS 10.0 vulnerabilities will end up in exploit kits quickly, the CVE-2011-3389 fix addresses the Same Origin Policy (SOP) bypass used by Rizzo/Duong in their chosen plain text attack on SSL/TLS 1.0, also known as "BEAST".
Of couse, this fix by Oracle does not totally fix weakness in the SSL/TLS 1.0 protocol...therefore it is important for the security industry to keep pushing toward wider adoption of TLS v1.1+.
No comments:
Post a Comment