XML Vulnerabilities Pose Threat to Several Applications
Security researchers from Finland's security testing firm Codenomicon have detected serious
vulnerabilities in open-source software which implements the Extensible Markup Language (XML) in
the widely expanding applications in use by e-commerce websites, consumers and banks.
Ari Takanen, CTO, Codenomicon, said that the flaws detected by researchers were found in
apparently every open-source XML library, reported The Register on August 6, 2009.
Several of them could let cybercriminals to attack machines' running applications which use
libraries. Attackers could also run malicious codes remotely. Programming languages like Java and
Python as well as Apache Xerces have already been reported of the attack, and according to
Takanen, many more could be seen in coming times.
The flaws could be well exploited by tricking a user to open specially-designed XML file, or by
submitting malicious requests to the Web services handling XML content.
The vulnerabilities were uncovered by the researchers at the beginning of the current year when
the company was busy creating a new product to test XML. While testing XML libraries, proof of
multiple bugs in parsing of XML data emerged out.
According to Codenomicon's senior security researcher, the firm informed the Finnish national
Computer Emergency Response Team (CERT-FI) about the flaws in February 2009. Since then, both
Codenomicon and CERT-FI have worked together for finding the remediation of the problems with
affected vendors, reported eweek.com on August 5, 2009.
Researchers cautioned that the application would be susceptible to attack and millions of such
applications are expected to be there. The recent discovery is particularly essential as it
highlights the loopholes in the basis on which most of the applications in the world are built.
3-dimensional programs, cloud computing services and a wide array of business software are some
of the programs to name.
Keeping in view that execution assaults may be used by the attackers, Codenomicon has highlighted
that the biggest threat is posed to the libraries built on C language.
The firm has stated that it should be kept in mind that attackers might discover XML-related
attacks and thus, suggested organizations to work upon the recommendations, like patching. In
addition to this, monitoring providers of libraries might prove beneficial.
» SPAMfighter News - 21-08-2009