Vulnerabilities discovered in XML libraries from Sun, Apache Software Foundation and Python Software Foundation could result in successful denial-of-service attacks on applications built with them, according to Codenomicon.
“There are probably millions of these applications,” says Dave Chartier, CEO of Codenomicon, the security vendor that makes a protocol-analysis fuzzing tool, Defensics, and earlier this year added a way to test for vulnerabilities in XML code.
Codenomicon has shared its findings with industry and the open source groups, and a number of recommendations and patches for the XML-related vulnerabilities are expected to be made available this week. In addition, a general security advisory is expected to be published by the Computer Emergency Response Team in Finland (CERT-FI), which has worked closely with Codenomicon.
20 useful IT security Web sites
Fuzzing tools — sometimes called negative-tester tools — test for vulnerabilities in code by hitting it with both valid requests and anomalies to see how it responds. Codenomicon found flaws in XML parsers that made it fairly easy to cause a DoS attack, corruption of data, and even delivery of a malicious payload using XML-based content.
The vulnerabilities could be exploited by enticing a user to open a specifically-crafted XML file, or by submitting malicious requests to Web services that handle XML content, according to Codenomicon. Chartier says it should be anticipated that attackers will explore XML-related attacks, and he advises organizations to follow the suggested recommendations, such as patching.
XML is widely used in .NET, SOAP, VoIP, Web services and industrial automation applications, the firm points out.
“XML implementations are ubiquitous — they are found in systems and services where one would not expect to find them,” said Erka Koivunen, head of CERT-FI, in prepared remarks. “For us, it is crucial that end users and organizations who use the affected libraries upgrade to the new versions. This announcement is just the beginning of a long remediation process that ends only when the patches have been deployed to production systems.”
Codenomicon expects to discuss the various XML vulnerabilities in depth at the Miami-based conference Hacker Halted 2009 in September.