Researchers Uncover Critical XML Library Flaws

Researchers have uncovered numerous vulnerabilities in popular X M L libraries from Sun Microsystems, Python and the Apache Software Foundation.

The bugs were discovered by researchers at code testing firm Codenomicon in early 2009 while the company was developing a new product for testing X M L. When testing X M L libraries, evidence of multiple flaws in the parsing of X M L datapopped up. The vulnerabilities could be exploited by tricking a user into opening a malicious X M L file or submitting malicious requests to Web services handling X M L content. “We have not heard of anyone exploiting these flaws yet,” said Heikki Kortti, senior security specialist at Codenomicon.

According to Kortti, the company reported the flaws to CERT-FI, the Finnish national Computer Emergency Response Team, in February. After the vulnerabilities had been found, Codenomicon worked together with CERT-FI to coordinate the remediation of the issues with the affected vendors. In addition to Sun, Apache, and Python, a few other projects are expected to announce their fixes at a later date. Information from Sun about fixing the issues can be found here.