On TechRepublic: Five super-secret features in Windows 7
BNET Business Network:
BNET
TechRepublic
ZDNet

August 6th, 2009

Major security holes in popular XML libraries

Posted by Ryan Naraine @ 7:26 am

Categories: Anti Virus, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Hackers, Malware, Passwords, Patch Watch, Pen testing, Phishing, Responsible disclosure, Vulnerability research, Web Applications

Tags: Vulnerability, Server, XML, Security, Software/Web Development, Web Development, Ryan Naraine

A security research outfit has issued a warning for several critical vulnerabilities in popular XML libraries used by a wide range of software vendors.

The flaws, discovered earlier this year by Codenomicon, affect a wide range of technology products, including servers and server applications, workstations and end user applications, network devices,  embedded systems and mobile devices. Vendors affected include Sun Microsystems, the Apache Software Foundation and Python.

Here’s the skinny from Finland’s Computer Emergency Response Team (CERT-FI):

The vulnerabilities are related to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely. The effects of the vulnerabilities include denial of service and potentially code execution. The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting it to a server that handles XML content.

The vulnerabilities can be triggered remotely and, in some cases (Python), remain unpatched.

* Image source: http://www.ibridge.be.

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

  • Talkback
  • Most Recent of 12 Talkback(s)
Ubuntu released 4 patches for XML today
Ubuntu released 4 patches for XML today, Did notice that thee was mention of Apache, hope these fixed it!! I am neither a professional or a Fanboy! Just a user that got fed up with Microsoft updates b... (Read the rest)
Posted by: leopards Posted on: 08/12/09 You are currently: a Guest | | Terms of Use
Open Source Secure  KillBitX | 08/06/09
Superior peer-reviewed software  croberts | 08/06/09
Machine code  Barklessdog | 08/07/09
LMAO  storm14k | 08/06/09
No, what's really sad  eb276 | 08/06/09
RE: No, what's really sad  pwn0tr0n | 08/11/09
OMG. Sandbox I said!   Dietrich T. Schmitz | 08/06/09
Litterbox is a better term i think happy  eb276 | 08/06/09
Agreed, sandbox!  honeymonster | 08/07/09
if only  krkosska | 08/06/09
Probability  tonymcs@... | 08/06/09
Ubuntu released 4 patches for XML today  leopards | 08/12/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Essential Topics Click Here

advertisement
Click Here

Recent Entries

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors
advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here