Web Browsers Prepare to Battle BEAST
A blue wildebeest in Tanzania.
CREDIT: Muhammad Mahdi Karim
Web browser developers are scrambling to protect their customers from BEAST, a new exploit capable of breaking the encryption protocol used to secure millions of websites.
Short for Browser Exploit Against SSL/TLS, BEAST , its creators said, can decrypt the Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption used to keep data secure as it moves between users and the servers they're logged into.
Microsoft has announced that it is readying a security update to address a flaw that leaves numerous version of Windows, including Windows XP, Windows 7 and Windows Vista, vulnerable to BEAST. In a security advisory posted Monday (Sept. 26), Microsoft wrote that it is "currently working to develop a security update for Windows to address this vulnerability," and that it will release the update "once it has reached an appropriate level of quality for broad distribution."
No specific date was given, and Microsoft did not say what software it would patch. The software giant did say that it is not aware of any BEAST-related attacks.
BEAST is forcing browser developers to take swift action because of how potentially far-reaching and devastating it could be if deployed maliciously. BEAST exploits vulnerabilities in the SSL 3.0 security protocol and its close cousin, TLS 1.0, both of which are outdated but still widely in use.
Apple Safari, Google Chrome and Mozilla Firefox all still use TLS 1.0. Microsoft Internet Explorer and Opera Web browsers support the latest version, TLS 1.2, although IE turns off that support by default.
Google has released a workaround to protect Chrome customers from BEAST. Mozilla is considering a much more drastic step: It may block Firefox from interacting with Java, the ubiquitous Web-brower software framework that BEAST feeds on to execute its SSL/TLS decryption.
Blocking Java, however, would cripple Firefox's ability to interact with with thousands of websites that use Java-based applets, the Register reported.
The Java block could cause "serious problems for users, particularly those in large corporations and government organizations that rely on the framework to make their browers work with virtual private networks, intranet tools and Web-conferencing applications such as Cisco Systems' WebEx."