Oracle seems to be working on a number of fixes, apart from just fixing the Java-Google controversy. The Redwood City, California-based company has come up with a patch, that provides a fix for the SSL Beast attack. They have timed it well, when when anti-malware vendors are reporting an “unprecedented wave” of exploits against vulnerabilities in Java.
The shipping of the update from Oracle, has a critical Java update, as it would fix a minimum of 20 security vulnerabilities. Its important as a few of these could have had a major effect, causing remote code execution attacks. The company, in an advisory, issued a warning, which read, “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible.”
in fact, the company had a lot more to note on the same topic as it said that out of the 20 vulnerabilities, 19 had the ability to be remotely exploited and to do so, one would not require authentication. This means that the exploitation over a network could be done without the need for a username and password.
The chart below from Microsoft says it all:
It all started last month, at the Ekoparty security conference in Buenos Aires, when security researchers Juliano Rizzo and Thai Duong had a demonstration, which displayed a practical method of intercepting SSL (Secure Sockets Layer) and TLS (Transport Security Layer) traffic.
Their unusual attack dubbed the Browser Exploit Against SSL/TLS (BEAST), as it leveraged an issue which is long-known theoretically. It has affected most of the SSL and TLS implementations currently used on the Internet.
One might have a lingering thought in their mind, regarding the attack, as to how did the duo attack the layers. They bypassed the browser’s same-origin policy, a core security mechanism, which actually prevents different opened websites from interfering with one another. They had thus exploited a vulnerability in the Java plug-in.
The vulnerability identified as CVE-2011-3389, has been a danger for Oracle, as Firefox had almost banned Java from their browser, following BEAST’s disclosure. But it seems, Java’s extensive reach saved it, as many in the corporate world make use of Java. Moreover, even in the normal user environment, it would have broken many applications.
Mozilla’s action was officially noted on Tuesday, which the company said that blocking Java is off the table for now. A shift was noted as the company was satisfied that Oracle has released a fix for the same. The browser maker said, “We will not be blocking vulnerable versions of Java at this time, though we will continue to monitor for incidents of this vulnerability being exploited in the wild.”
The end result was finally good, but things were still not great as the patch would not be a concluding solution as it was noted that Java is just one of several technologies that can theoretically be exploited to achieve the same result.