Tuesday, October 18, 2011

Java Updates and the BEAST

Oracle Java SE Critical Patch Update Advisory - October 2011

Oracle released JRE 6 Update 29 and Java 7 Update 1 today. Along with fixing six very serious vulnerabilities (CVSS 10.0), these updates include a fix for CVE-2011-3389 as well.

Beyond the fact that some of those CVSS 10.0 vulnerabilities will end up in exploit kits quickly, the CVE-2011-3389 fix addresses the Same Origin Policy (SOP) bypass used by Rizzo/Duong in their chosen plain text attack on SSL/TLS 1.0, also known as "BEAST".

Of couse, this fix by Oracle does not totally fix weakness in the SSL/TLS 1.0 protocol...therefore it is important for the security industry to keep pushing toward wider adoption of TLS v1.1+.

No comments:

Post a Comment