Vulnerabilities discovered in XML libraries from Sun, Apache Software Foundation and Python Software Foundation could result in successful denial-of-service attacks on applications built with them, according to Codenomicon; security vendor that makes a protocol-analysis fuzzing tool, Defensics, and earlier this year added a way to test for vulnerabilities in XML code.
"There are probably millions of these applications," says Dave Chartier, CEO of Codenomicon
Codenomicon has shared its findings with industry and the open source groups, and a number of recommendations and patches for the XML-related vulnerabilities are expected to be made available soon. In addition, a general security advisory is expected to be published by the Computer Emergency Response Team in Finland (CERT-FI), which has worked closely with Codenomicon.
Fuzzing tools test for vulnerabilities in code by hitting it with both valid requests and anomalies to see how it responds. Codenomicon found flaws in XML parsers that made it fairly easy to cause a DoS attack, corruption of data, and even delivery of a malicious payload using XML-based content.
The vulnerabilities could be exploited by enticing a user to open a specifically-crafted XML file, or by submitting malicious requests to Web services that handle XML content, according to Codenomicon. Chartier says it should be anticipated that attackers will explore XML-related attacks, and he advises organizations to follow the suggested recommendations, such as patching.
XML is widely used in .NET, SOAP, VoIP, Web services and industrial automation applications, the firm points out.
"XML implementations are ubiquitous -- they are found in systems and services where one would not expect to find them," Erka Koivunen, head of CERT-FI
Codenomicon expects to discuss the various XML vulnerabilities in depth at the Miami-based conference Hacker Halted 2009 in September.