Thunderdome

Software & Web
« Back to the top page
IDG News Service

Expect hacker attacks on XML flaws, analyst warns

Ellen Messmer, Networld World08.06.2009
Tags
Comments 0
Like the story? Get Alerts of big news events. Enter your email address

One day after reports of vulnerabilities in XML libraries, an analyst is warning companies not to ignore the danger of attacks that exploit those flaws.

“Hackers are moving up the stack to the application level,” says Neil MacDonald, a vice president at research firm Gartner. XML-based attacks can be expected to be “the next big thing for hackers,” he says.

20 useful IT security Web sites

Yesterday security test toolmaker Codenomicon and the Finnish Computer Emergency Response Team (CERT-FI) disclosed security risks in XML libraries that could result in successful denial-of-service attacks on applications built with them.

A wide variety of applications have implemented the vulnerable XML libraries, which include those from Python Software Foundation, Sun Microsystems and Apache Software Foundation. Developers are being advised to follow instructions for remediation from vendors to prevent the exploits detailed by CERT-FI and Codenomicon.

“The effects of the vulnerabilities include denial-of-service and potentially code execution,” the CERT-FI advisory states. “The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting it to a server that handles XML content.”

The vulnerabilities relate to the parsing of XML elements with “unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely,” the advisory notes.

Some updates for remediation are available, and CERT-FI is providing information about that. But as of early today, an update for Python was not yet available. “We are working on it,” reads a simple statement available through CERT-FI.

MacDonald says Codenomicon has been researching XML-related flaws for some time, and the issue isn’t wholly new. The bigger issue is that many developers have implemented open-source XML libraries in custom and commercial applications, and over the years, people may be unaware what has been used in an application, he says.

“Use of these libraries is pervasive,” MacDonald says. But people don’t always keep track of the open-source third-party libraries they’re using, and a developer may have moved on to another project without recording that detail. “It becomes hard because you don’t even know what applications are vulnerable.”

Reprinted with permission from Networld World. Story copyright 2009 Networld World Inc. All rights reserved.

Post new comment

The content of this field is kept private and will not be shown publicly.
Respectful debate is welcome, but comments that are defamatory, indecent, abusive, or in violation of any law will be removed.