Researchers Uncover Critical XML Library Flaws | eWeek
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Researchers Uncover Critical XML Library Flaws

Written By
Brian Prince
Brian Prince
Aug 5, 2009
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Researchers have uncovered numerous vulnerabilities in popular XML libraries from Sun Microsystems, Python and the Apache Software Foundation.

The bugs were discovered by researchers at code testing firm Codenomicon in early 2009 while the company was developing a new product for testing XML. When testing XML libraries, evidence of multiple flaws in the parsing of XML data popped up. The vulnerabilities could be exploited by tricking a user into opening a malicious XML file or submitting malicious requests to Web services handling XML content.

“We have not heard of anyone exploiting these flaws yet,” said Heikki Kortti, senior security specialist at Codenomicon.

According to Kortti, the company reported the flaws to CERT-FI, the Finnish national Computer Emergency Response Team, in February. After the vulnerabilities had been found, Codenomicon worked with CERT-FI to coordinate the remediation of the issues with the affected vendors. In addition to Sun, Apache and Python, a few other projects are expected to announce their fixes at a later date. Information from Sun about fixing the issues can be found here.

The pervasiveness of XML makes the flaws especially dangerous. The days when XML provided support for just a few applications and file formats are long gone. Today, XML is used in .NET, SOAP, VOIP, Web services, industrial automation (SCADA) and even banking infrastructure, officials noted.

“XML implementations are ubiquitous-they are found in systems and services where one would not expect to find them,” said Erka Koivunen, head of CERT-FI, in a statement. “For us it is crucial that end users and organizations who use the affected libraries upgrade to the new versions.”

Kortti advised developers worried their software leverages the affected libraries or who supplied the libraries in some form with their code to update and rebuild too.

“If their apps are using dynamic linking, it’s usually enough that the end user keeps their system up-to-date,” Kortti said. “With most modern OSes this is well taken care of.”

Codenomicon officials said they will release more details about some of the XML vulnerabilities that were found at the Hacker Halted 2009 security conference in Miami in September.
Brian Prince
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information