This is variation of Man-in-the-middle attack invented by Juliano Rizzo and Thai Duong.
Here is the results of my brief research on BEAST.
Even though the detailed scenario of the attack apparently is not published by their authors, there is some information and area experts reviews available online so I could reconstruct the picture from several puzzles.
The most important outcome – the attack is unable to compromise the custom client/server application communication as it is aimed against browser client/WEB server communication only.
It is using WEB vulnerabilities and must inject malicious java script code into the client browser in order to initialize the attack. Therefore, it affects websites only and does not affect custom software using SSL.
Workarounds/Mitigations that are known today:
Using non block (stream) ciphers such as RC4 instead of standard default block ciphers such as AES.
Disadvantages:
o strongest ciphers (such as AES) mostly using blocks, and stream ciphers (such as RC4) may have their own weaknesses
o streaming ciphers may not be supported by all browsers/servers
Using TLS 1.X and higher (eliminating using SSL 3.0 and TLS 1.0 which are found vulnerable for the attack)
Disadvantages:
o TLS 1.X is not widely used and therefore not proven enough;
o TLS 1.X is not supported by all browser versions therefore after server will be reconfigured some clients using old browser versions may be unable to access it.
The two counter measures described above require WEB server reconfiguration that would possibly make some clients unable to access the websites. Before anything is done, it should be thoroughly researched and tested.
Microsoft promised to release a Windows OS patch that blocks it (IE browser uses Windows SSL implementation).