On mySimon: Robert Rodriguez Studded-Band Skirt
BNET Business Network:
BNET
TechRepublic
ZDNet

August 6th, 2009

Code Red for XML open source

Posted by Dana Blankenhorn @ 7:03 am

Categories: Applications, General, Security, java

Tags: Code Red Worm, Open Source, JRE, Python, XML, Virus, Cyberthreats, Java, Viruses And Worms, Security

In a sign of things to come, Codenomicon has issued an alert against “multiple critical security issues in XML libraries,” which include libraries from Sun, Apache, Python and GNOME.

Codenomicon said it found the issues early this year while developing a product for XML testing, and has already been working with Finland’s CERT-FI on remediation.

Recommendations and patches are already going out. (I first found this cute little guy in 2004, while I was blogging for Corante. A now extinct firm called Irenecrafts was offering instructions on making them.)

Both ZDNet’s UK security team and our own Joe McKendrick have been putting out the word, but it’s also important to note where we are in terms of Bruce Schneier’s famous “window of exposure” chart, first published in the year 2000.

The announcement of a vulnerability is a virus’s second level of fame. You know, who’s virus, get me virus, get me something like virus, get me young virus, and who’s virus. An announcement alerts virus writers to a vulnerability, and exploits follow, meaning the risk to users immediately starts jumping.

The peak moment of risk comes when a vendor discloses a patch, but it does not start declining until after users install the patch.

All this means that we are now entering the key window of vulnerability to this problem, and that window closes only after all your XML libraries have been updated.

If you own any of the following libraries you need to be alert and ready to patch:

  • Python libexpat
  • Apache Xerces
  • Sun JDK and JRE 6 Update 14 and earlier
  • Sun JDK and JRE 5.0 Update 19 and earlier.

Not only will servers and PCs be vulnerable until patches are installed, but so will embedded systems and mobile devices.

Sun says it has patched JRE 6 Update 15 and JRE 5 Update 19 but warns it has no workaround for earlier versions, so this may be around a while. Xerces got out a patch in June and one is in process for Python.

Dana BlankenhornDana Blankenhorn has been a business journalist for 30 years, a tech freelancer since 1983. You can follow Dana on Twitter. See his full profile and disclosure of his industry affiliations.

Email Dana Blankenhorn

Subscribe to Linux and Open Source via Email alerts or RSS.

  • Talkback
  • Most Recent of 3 Talkback(s)
Open source is secure = ******** lies
Abraham Lincoln once said,"Sometimes it is better to remain silent and have people think you a fool, than to speak and remove any doubt."... (Read the rest)
Posted by: ator1940 Posted on: 08/07/09 You are currently: a Guest | | Terms of Use
Open source is secure = ******** lies  jackbond | 08/06/09
wow what a intelligent post my god help us  Quebec-french | 08/06/09
Open source is secure = ******** lies  ator1940 | 08/07/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement

Recent Entries

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Meet Doc

  • Here to help you with your Document Management Needs
  • Doc is an enigma. Born to a Russian ballerina and a German electrical engineer, he grew up in various locations in the United States. He’s seen the insides of more brands, versions, and generations of printer and printer-related hardware than almost anyone.
  • To learn more about this mysterious figure check out his blog on ZDNet and his Workspace on TechRepublic. You’ll be glad you did.
  • Produced by
    ZDNet and