Network News

X My Profile
View More Activity

Researchers: XML Security Flaws are Pervasive

Security researchers today unveiled details about a little-known but ubiquitous class of vulnerabilities that may reside in a range of Internet components, from Web applications to mobile and cloud computing platforms to documents, images and instant messaging products.

At issue are problems with the way many hardware and software makers handle data from an open standard called XML. Short for "eXtensible Markup Language," XML has been used for many years as a fast and efficient way to transport, store and structure information across a wide range of often disparate applications.

Researchers at Codenomicon Ltd., a security testing company out of Oulu, Finland, say they found multiple critical flaws in XML "libraries," chunks of code that are typically used and re-used in software applications to process XML data.

Codenomicon is a spinoff from the University of Oulu, and is run by many of the same individuals who in 2001-2002 found and reported a widespread vulnerability in a remote Internet management protocol called ASN.1. That research kicked off months of studying and patching by the U.S. government and private sector, which found the ASN.1 flaws extended to some of the nation's most critical electronic infrastructures, including the telephone network, the power grid, and air traffic control systems.

Howard Schmidt, a Codenomicon board member who served as cyber security adviser to President Bush during the ASN.1 episode, said these XML flaws are nearly as widespread. Schmidt said the result of a successful attack against a vulnerable XML library could range from allowing the remote installation of malicious software to simply sending the application into an infinite loop, rendering it temporarily inaccessible.

"XML is being used in so many different things we're doing on the Web today," Schmidt said. "So it's a big deal when something goes wrong with something that's Internet-facing that so many people depend upon."

XML is used in a variety of document formats (docx, openoffice, playlists, configuration files and RSS feeds, to name a few). As a result, there are numerous vectors for attacking XML flaws remotely, such as sending malicious documents or network requests, said Jussi Eronen, an information security adviser for CERT-FI, the Finnish Computer Emergency Response Team.

Eronen said three major software makers - including Sun Microsystems, Apache Software Foundation and Python Software Foundation - are expected to release updates today to address the XML flaws (Sun's Java Update - Java 6 Update 15 - is already out, and mentions at least two XML flaws). Eronen predicts a large number of other software vendors will ship patches for the flaw in the weeks and months ahead.

"There is no doubt whatsoever that a great deal of vulnerabilities similar to the ones released [today] will emerge over time," Eronen said. "Moreover, people tend to make similar mistakes in coding, so that a single XML file might at worst affect several libraries. This would be a good moment to wrap our heads around this problem, and to attain some degree of understanding of how to handle similar issues in the future."

Codenomicon founder Ari Takanen said he is not aware of any public exploits for these vulnerabilities. But he said he hopes other, potentially affected software vendors, take this discovery seriously.

"It is impossible to forecast what will happen. My pessimistic guess is that nobody really cares until the first exploits emerge," Takanen told Security Fix.

Update, 5:31 p.m. ET: CERT-FI's advisory on this is here.

By Brian Krebs  |  August 5, 2009; 12:44 PM ET
Categories:  Latest Warnings , New Patches , Safety Tips  | Tags: codenomicon, fi-cert, xml  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Twitter Tries to Tame Tainted Links
Next: Hackers Target House.gov Sites

Comments

It will be interesting to see how this plays out...

Posted by: sdroppers | August 5, 2009 1:56 PM | Report abuse

The title of this article and several of its statements are misleading. There is no security flaw in XML, which is essentially just a document format. Rather, there are vulnerabilities in some XML parsing libraries -- completely different ballgame.

Posted by: danmactough | August 5, 2009 4:17 PM | Report abuse

Pardon me for nitpicking, but:

> a remote Internet management
> protocol called ASN.1

Like XML, ASN.1 (Abstract Encoding Notation) is a data encoding scheme, not a remote management protocol. And as danmactough has already pointed out, the article title is misleading since the vulnerabilities lie in libraries that parse XML, not in the XML spec itself.

Posted by: tjonz | August 6, 2009 12:45 AM | Report abuse


Er, make that "Abstract *Syntax* Notation." Gotta fire my proofreader. ;-)

Posted by: tjonz | August 6, 2009 12:47 AM | Report abuse

Interesting you recall the ASN.1 vulnerability. It took three years to manifest itself in actual bad outcomes and MS04-011 and little else. Is there some reason to believe XML will play out differently? Oulu had a research objective with ASN.1. Codenomicon Ltd is a company and they're rolling out commercial tools for the problem they've discovered; is that the objective this time? How can objectivity and altruism be measured?

Posted by: dmk45044 | August 6, 2009 4:16 AM | Report abuse

I find it a little funny how this article seems to suggest that security researchers have 'unveiled' a class of vulnerabilities that have been known about for a long time (google XML Parser Vulnerabilities or XML Bombs).

r/

Posted by: JediahL | August 6, 2009 12:39 PM | Report abuse

Would someone pls put the relevance of this article in language a non-computer IT user can understand? Meaning, what current threat is this (are these) discovery(ies) to my computer? And is there anything I can or should be doing to safeguard it?

Posted by: jcluma | August 6, 2009 2:26 PM | Report abuse

Novice hackers who read this will now use it to screw up things. Thanks Security Fix for informing them.

That's my opinion

Posted by: MyOpinionCounts | August 6, 2009 9:45 PM | Report abuse

"Would someone pls put the relevance of this article in language a non-computer IT user can understand?"

It means if you use Java (check for an orange coffee icon in the lower right hand corner of your screen) you'll have yet another security patch to install soon.

Apache and Ruby are typically used on web servers so now would be a good time to bring a plate of chocolate chip cookies to your server administrator as a token of your appreciation for the work they do. Those patches are harder to apply.

One thing that made these vulnerabilities noteworthy is that they were in what is called a library. Software libraries are collections of pre-made building blocks that can be reused in hundreds of thousands of different places to build all sorts of different types of software.

Imagine you need to build a house fast and so you subcontract all the plumbing. Everything's great until a year or so later when you start smelling raw sewage, then things can get ugly. Let's say it wasn't the subcontractor though, let's say it was a manufacturing defect at the factory for every pipe they sold, and now 100,000 homes have defective pipes.

When a vulnerability is found in a shared code library after everyone is already using it, it is very difficult to make sure every single user that picked up that library is going to fix it in every single place. It becomes a race against time and Ari's point seems to be that many software vendors aren't moving fast enough to keep their customers safe -- the sooner and earlier this category of bug is detected and fixed the better off we all are.

Posted by: drover | August 7, 2009 3:19 AM | Report abuse

Indeed, I'm really appalled by the confusion between XML and the software commonly employed to handle XML contents. It's like to warn about the quality of tires instead of saying they are inflated at the wrong pressure. Mr. Krebs: what's the difference for the general and (as you appear to believe) ignorant public? That XML is a free, open standard that has been making a tremendous job at favoring interoperability. Shooting at it in such an unmotivated way is no service to the public. As such the article calls for a prompt correction.

Posted by: brunogiovanni | August 7, 2009 5:17 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company