Security researchers release details about vulnerabilities in XML libraries from Sun Microsystems, Python and Apache. Developers who use the libraries are advised to take action as soon as possible.
Researchers have uncovered
numerous vulnerabilities in popular XML libraries from Sun Microsystems,
Python and the Apache Software Foundation.
by researchers at code testing firm Codenomicon in early
2009 while the company was developing a new product for testing XML. When
testing XML libraries, evidence of multiple flaws in the parsing of XML
data popped up. The vulnerabilities could be exploited by tricking a user into
opening a malicious XML file or submitting malicious requests to Web services
handling XML content.
"We have not heard of
anyone exploiting these flaws yet," said Heikki Kortti, senior security
specialist at Codenomicon.
According to Kortti, the
company reported the flaws to CERT-FI, the Finnish national Computer Emergency
Response Team, in February. After the vulnerabilities had been found,
Codenomicon worked with CERT-FI to coordinate the remediation
of the issues
with the affected vendors. In addition to Sun, Apache and
Python, a few other projects are expected to announce their fixes at a later date. Information
from Sun about fixing the issues can be
The pervasiveness of XML makes the flaws especially dangerous. The days when XML provided
support for just a few applications and file formats are long gone. Today,
XML is used in .NET,
SOAP, VOIP, Web services,
industrial automation (SCADA) and even banking infrastructure, officials
implementations are ubiquitous-they are found in systems and services where one
would not expect to find them," said Erka Koivunen, head of CERT-FI, in a
statement. "For us it is crucial that end users and organizations who use
the affected libraries upgrade to the new versions."
Kortti advised developers
their software leverages the affected libraries or who supplied the
libraries in some form with their code to update and rebuild too.
"If their apps are using
dynamic linking, it's usually enough that the end user keeps their system
up-to-date," Kortti said. "With most modern OSes this is well taken care of."
Codenomicon officials said
they will release more details about some of the XML vulnerabilities that
were found at the Hacker Halted 2009 security conference in
Miami in September.