UPDATE 10.18.11: Today, Oracle is releasing a patch update to Java SE to address this vulnerability. We recommend that users update their Java plugin to ensure that they have the latest and most secure fixes. Windows users on auto update should start seeing the updates as early as this week. Users can also manually download the update here: http://java.com. Apple distributes Java updates directly for OS X. We will not be blocking vulnerable versions of Java at this time, though we will continue to monitor for incidents of this vulnerability being exploited in the wild.
Issue
Juliano Rizzo and Thai Duong recently presented a paper detailing an information stealing attack against TLS-protected communications. The attack is not Firefox specific, and Firefox is not vulnerable in default configurations, however some plugins may be.
Impact to users
A successful application of this man-in-the-middle attack would allow an attacker to steal information from encrypted communications. This could include cookie data, which may allow the attacker to impersonate the victim.
Status
Firefox itself is not vulnerable to this attack. While Firefox does use TLS 1.0 (the version of TLS with this weakness), the technical details of the attack require the ability to completely control the content of connections originating in the browser which Firefox does not allow.
The attackers have, however, found weaknesses in Java plugins that permit this attack. We recommend that users disable Java from the Firefox Add-ons Manager as a precaution. We are currently evaluating the feasibility of disabling Java universally in Firefox installs and will update this post if we do so.
Credit
This bug was reported by Juliano Rizzo and Thai Duong.
sudjansu wrote on
jony wrote on
n wrote on
Daniel Veditz wrote on
Daniel Veditz wrote on
Lake F. wrote on