14 DAY TRIAL // Researchers from Finnish security testing company Codenomicon warn that most open source XML parsing libraries suffer from vulnerabilities that can be exploited to generate denial of service conditions or execute hostile code. This research could have huge implications as there are a big number of applications that use these libraries to handle XML-formatted data.
Codenomicon has offices in Oulu, Silicon Valley and Hong Kong, and its main activity is developing proprietary software security assessment tools. The company recently began testing open source XML libraries by using new XML-based fuzzing technology, as part of its Codenomicon Robust Open Source Software (CROSS) program.
Fuzzing is a method of testing applications by feeding them unexpected and malformed input data. It is actively used to test for crashes or memory leaks and buffer overflows. "XML fuzzing takes XML message structures and alters them in ways beyond imagination. Breaking the encoding, repetition of tags and elements, dropping of tags and elements, recursive structures, overflows, special characters, and many, many other methods will easily corrupt XML parsing and XML-based protocol communications," the company explains.
The new technique revealed various flaws in virtually all libraries tested so far and Codenomicon has been working with CERT-FI to notify the affected vendors and co-ordinate the patching process. According to a CERT-FI advisory, Python libexpat, Apache Xerces, Sun JDK and JRE 6 Update 14 and earlier, as well as Sun JDK and JRE 5.0 Update 19 and earlier, were found vulnerable and announced fixes.
The names of other affected projects have not yet been released, because vendor response is still expected. "Application developers using the vulnerable libraries should review their software and update their libraries, rebuild if needed, release a patch, and inform their users if they are vulnerable," the Finish firm advises.
This discovery poses serious problems because the XML format is widely used in the Web 2.0 ecosystem to exchange data between services. "XML is used everywhere. XML is used in cloud computing, web applications, mobile applications, 3D images, documents, instant messaging," Codenomicon researchers note.
This new wide-spread attack vector could put online banking, stock information, e-commerce, patient data, tax information or network management systems, just to name a few, at risk. Obviously, Internet-facing systems are the most exposed, but intranet systems could just as easily be attacked if hackers infiltrate the local network from another point.