Researchers: XML Security Flaws are Pervasive

Security researchers today unveiled details about a little-known but ubiquitous class of vulnerabilities that may reside in a range of Internet components, from Web applications to mobile and cloud computing platforms to documents, images and instant messaging products.

At issue are problems with the way many hardware and software makers handle data from an open standard called XML. Short for "eXtensible Markup Language," XML has been used for many years as a fast and efficient way to transport, store and structure information across a wide range of often disparate applications.

Researchers at Codenomicon Ltd., a security testing company out of Oulu, Finland, say they found multiple critical flaws in XML "libraries," chunks of code that are typically used and re-used in software applications to process XML data.

Codenomicon is a spinoff from the University of Oulu, and is run by many of the same individuals who in 2001-2002 found and reported a widespread vulnerability in a remote Internet management protocol called ASN.1. That research kicked off months of studying and patching by the U.S. government and private sector, which found the ASN.1 flaws extended to some of the nation's most critical electronic infrastructures, including the telephone network, the power grid, and air traffic control systems.

Howard Schmidt, a Codenomicon board member who served as cyber security adviser to President Bush during the ASN.1 episode, said these XML flaws are nearly as widespread. Schmidt said the result of a successful attack against a vulnerable XML library could range from allowing the remote installation of malicious software to simply sending the application into an infinite loop, rendering it temporarily inaccessible.

"XML is being used in so many different things we're doing on the Web today," Schmidt said. "So it's a big deal when something goes wrong with something that's Internet-facing that so many people depend upon."

XML is used in a variety of document formats (docx, openoffice, playlists, configuration files and RSS feeds, to name a few). As a result, there are numerous vectors for attacking XML flaws remotely, such as sending malicious documents or network requests, said Jussi Eronen, an information security adviser for CERT-FI, the Finnish Computer Emergency Response Team.

Eronen said three major software makers - including Sun Microsystems, Apache Software Foundation and Python Software Foundation - are expected to release updates today to address the XML flaws (Sun's Java Update - Java 6 Update 15 - is already out, and mentions at least two XML flaws). Eronen predicts a large number of other software vendors will ship patches for the flaw in the weeks and months ahead.

"There is no doubt whatsoever that a great deal of vulnerabilities similar to the ones released [today] will emerge over time," Eronen said. "Moreover, people tend to make similar mistakes in coding, so that a single XML file might at worst affect several libraries. This would be a good moment to wrap our heads around this problem, and to attain some degree of understanding of how to handle similar issues in the future."

Codenomicon founder Ari Takanen said he is not aware of any public exploits for these vulnerabilities. But he said he hopes other, potentially affected software vendors, take this discovery seriously.

"It is impossible to forecast what will happen. My pessimistic guess is that nobody really cares until the first exploits emerge," Takanen told Security Fix.

Update, 5:31 p.m. ET: CERT-FI's advisory on this is here.