Security testing firm uncovers XML vulnerabilities

By Marcia Savage, Features Editor, Information Security 06 Aug 2009 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A security testing firm said it discovered multiple critical flaws in widely used XML libraries that could be exploited by an attacker to launch denial of service attacks and to execute malicious code.

Affected software includes implementations from Sun Microsystems Inc., Apache Software Foundation, and Python Software Foundation.

Codenomicon Ltd., which is based in Oulu, Finland with a U.S. office in Cupertino, Calif., and specializes in fuzzing tools, said attackers could exploit the vulnerabilities by getting a user to open a specifically crafted XML file or by submitting malicious requests to Web services that handle XML content.

The flaws could be used to launch denial-of-service or zero-day malware attacks, said Codenomicon CEO David Chartier. At this time, the company doesn't know of any active exploits, he said.

The company worked with the Finnish National Computer Emergency Response Team (CERT-FI) to coordinate with vendors on remediation. CERT-FI released an advisory with information about vendor security patches.

According to CERT-FI, the vulnerabilities target servers, server applications, workstations, end user applications, network devices, embedded systems and mobile devices. Codenomicon said the flaws in the XML libraries, code used to process XML data, affect many sectors, including banking, retail, manufacturing and healthcare.

Chartier said Codenomicon discovered the vulnerabilities earlier this year while developing a new product for XML testing. Fuzzing tools aren't typically used in the XML world, he said, and some of the company's larger customers asked for a tool to test their XML-based systems due to security and interoperability concerns.

"Sometimes these anomalies aren't sent maliciously by an attacker, but by another application having an issue. This is the other side of the fuzzing testing, you can make your applications more reliable and interoperate better," Chartier said. "So we built a tool to test XML and we found a number of different things fairly quickly that caused the systems to either to go into an infinite loop and others to crash."

The pervasiveness of XML makes the vulnerabilities especially critical, Chartier said. "It's everywhere from your desktop to ATMs," he said.

Tags: Emerging Information Security Threats,  Web Services Security and SOA Security,  Security Testing and Ethical Hacking,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Emerging Information Security Threats Hackers to sharpen malware, malicious software in 2010 Modern malware, stealthy botnets, adapt quickly, expert says New ransomware Trojan pushes victims to buy software Bruce Schneier on outsourcing, awareness training US-CERT warns of BlackBerry snooping software Marcus Ranum on cyberwarfare, infosec careers Researchers find thousands of flawed embedded devices Enterprise botnets contain thousands of malware variants Nuke and pave to eradicate botnets Rand study urges caution on cyberwarfare attacks Web Services Security and SOA Security Cryptographers say cloud computing can be secured Information security book excerpts and reviews Will cloud computing and virtualization save the day? MySpace, Facebook ignoring basic principles of security Kaminsky: DNS flaw capable of attacks on many fronts Kaminsky on DNS rebinding attacks, hacking techniques Which operating system can best secure an FTP site? IBM's Watchfire halts network research, focuses on Web apps How does identity propagation work? Citrix adds Web security with acquisition Security Testing and Ethical Hacking H.D. Moore speaks about Metasploit Project deal, Release 3.3 Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Screencast: BackTrack 4 offers an arsenal of penetration testing tools Screencast: Samurai offers pen-testing nirvana The requirements needed to make an external penetration test legal McAfee to acquire Solidcore Systems for whitelisting The Pipe Dream of No More Free Bugs

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary DNS rebinding attack  (SearchSecurity.com) drive-by pharming  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) man in the browser  (SearchSecurity.com) phlashing  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) pulsing zombie  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary