Researchers have uncovered numerous vulnerabilities in popular XML libraries from Sun Microsystems, Python and the Apache Software Foundation.
The bugs were discovered by researchers at code testing firm Codenomicon in early 2009 while the company was developing a new product for testing XML. When testing XML libraries, evidence of multiple flaws in the parsing of XML data popped up. The vulnerabilities could be exploited by tricking a user into opening a malicious XML file or submitting malicious requests to Web services handling XML content.
“We have not heard of anyone exploiting these flaws yet,” said Heikki Kortti, senior security specialist at Codenomicon.
According to Kortti, the company reported the flaws to CERT-FI, the Finnish national Computer Emergency Response Team, in February. After the vulnerabilities had been found, Codenomicon worked with CERT-FI to coordinate the remediation of the issues with the affected vendors. In addition to Sun, Apache and Python, a few other projects are expected to announce their fixes at a later date. Information from Sun about fixing the issues can be found here.
The pervasiveness of XML makes the flaws especially dangerous. The days when XML provided support for just a few applications and file formats are long gone. Today, XML is used in .NET, SOAP, VOIP, Web services, industrial automation (SCADA) and even banking infrastructure, officials noted.
“XML implementations are ubiquitous-they are found in systems and services where one would not expect to find them,” said Erka Koivunen, head of CERT-FI, in a statement. “For us it is crucial that end users and organizations who use the affected libraries upgrade to the new versions.”
Kortti advised developers worried their software leverages the affected libraries or who supplied the libraries in some form with their code to update and rebuild too.
“If their apps are using dynamic linking, it’s usually enough that the end user keeps their system up-to-date,” Kortti said. “With most modern OSes this is well taken care of.”
Codenomicon officials said they will release more details about some of the XML vulnerabilities that were found at the Hacker Halted 2009 security conference in Miami in September.