A security testing firm said it discovered multiple critical flaws in widely used XML libraries that could be exploited by an attacker to launch denial of service attacks and to execute malicious code.
Affected software includes implementations from Sun Microsystems Inc., Apache Software Foundation, and Python Software Foundation.
Codenomicon Ltd., which is based in Oulu, Finland with a U.S. office in Cupertino, Calif., and specializes in fuzzing tools, said attackers could exploit the vulnerabilities by getting a user to open a specifically crafted XML file or by submitting malicious requests to Web services that handle XML content.
The flaws could be used to launch denial-of-service or zero-day malware attacks, said Codenomicon CEO David Chartier. At this time, the company doesn't know of any active exploits, he said.
The company worked with the Finnish National Computer Emergency Response Team (CERT-FI) to coordinate with vendors on remediation. CERT-FI released an advisory with information about
According to CERT-FI, the vulnerabilities target servers, server applications, workstations, end user applications, network devices, embedded systems and mobile devices. Codenomicon said the flaws in the XML libraries, code used to process XML data, affect many sectors, including banking, retail, manufacturing and healthcare.
Chartier said Codenomicon discovered the vulnerabilities earlier this year while developing a new product for XML testing. Fuzzing tools aren't typically used in the XML world, he said, and some of the company's larger customers asked for a tool to test their XML-based systems due to security and interoperability concerns.
"Sometimes these anomalies aren't sent maliciously by an attacker, but by another application having an issue. This is the other side of the fuzzing testing, you can make your applications more reliable and interoperate better," Chartier said. "So we built a tool to test XML and we found a number of different things fairly quickly that caused the systems to either to go into an infinite loop and others to crash."
The pervasiveness of XML makes the vulnerabilities especially critical, Chartier said. "It's everywhere from your desktop to ATMs," he said.