One day after reports of vulnerabilities in XML libraries, an analyst is warning companies not to ignore the danger of attacks that exploit those flaws.
“Hackers are moving up the stack to the application level,” says Neil MacDonald, a vice president at research firm Gartner. XML-based attacks can be expected to be “the next big thing for hackers,” he says.
Security test toolmaker Codenomicon and the Finnish Computer Emergency Response Team (CERT-FI) disclosed security risks in XML libraries that could result in successful denial-of-service attacks on applications built with them.
A wide variety of applications have implemented the vulnerable XML libraries, which include those from Python Software Foundation, Sun Microsystems and Apache Software Foundation. Developers are being advised to follow instructions for remediation from vendors to prevent the exploits detailed by CERT-FI and Codenomicon.
“The effects of the vulnerabilities include denial-of-service and potentially code execution,” the CERT-FI advisory states. “The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting it to a server that handles XML content.”
The vulnerabilities relate to the parsing of XML elements with “unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely,” the advisory notes.
Some updates for remediation are available, and CERT-FI is providing information about that. But as of early today, an update for Python was not yet available. “We are working on it,” reads a simple statement available through CERT-FI.
MacDonald says Codenomicon has been researching XML-related flaws for some time, and the issue isn’t wholly new. The bigger issue is that many developers have implemented open-source XML libraries in custom and commercial applications, and over the years, people may be unaware what has been used in an application, he says.
“Use of these libraries is pervasive,” MacDonald says. But people don’t always keep track of the open-source third-party libraries they’re using, and a developer may have moved on to another project without recording that detail. “It becomes hard because you don’t even know what applications are vulnerable.”