The latest Java version is no longer susceptible for the BEAST's attacks

Oct 19, 2011 12:12 GMT  ·  By
Make sure to install the latest version of Java to benefit from enhanced protection
   Make sure to install the latest version of Java to benefit from enhanced protection

Oracle released a Critical Patch Update that contains a large number of security fixes for products such as Linux 5, Sun Ray, Sun Product Suit, Fusion Middleware, Application Server, Business Intelligence Enterprise Edition and more.

The patch contains a lot of things that will make the internet a safer place, but one of the most important updates is the one made to Java. Even though an upgrade of the Java plug-in of a browser will not completely block the BEAST, it will at least reduce the chances of an attack.

Not long ago, Mozilla officials were actually discussing the possibility of giving up on the use of Java completely, but they hoped for a move made by Oracle. Since their prayers were answered, they posted an advisory on their blog, recommending customers to deploy the new versions of the vulnerable plug-in.

“Firefox itself is not vulnerable to this attack. While Firefox does use TLS 1.0 (the version of TLS with this weakness), the technical details of the attack require the ability to completely control the content of connections originating in the browser which Firefox does not allow,” reads the post.

While the browser itself is not vulnerable, weaknesses in some of the plug-ins could allow a hacker to perform a man-in-the-middle attack and steal information from encrypted communications.

“We recommend that users disable Java from the Firefox Add-ons Manager as a precaution. We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so,” concludes the post.

This is a great step forward in the process of making the BEAST's attacks useless, but there is still a long way to go.

“There will be other methods for doing this, so it doesn't fix the BEAST attack itself.You need a TLS/SSL fix for that,” revealed Nate Lawson, a cryptographer and principal of Root Labs, for The Register.