One of the core components of interactive web services was found to have serious programming flaws. An exploit of these flaws has the potential for anything from denial of service to sending of malicious documents to seize control of users computers. XML is used in all types of web services, including banking, desktop programs and cloud computing applications. Extensible Markup Language is the markup system that allows applications to exchange data.
Researchers at Codenomicon Ltd., a security testing company from Oulu, Finland, say they found multiple critical flaws in XML libraries, code that is used and re-used to process XML data. They used CROSS, or Codenomicon Robust Open Source Software, to test libraries failure modes. By inputting manipulated data into XML libraries Codnomicon tested their ability to contend with corrupted data. The results were disconcerting.
The Codenomicon researches said:
Early this year (2009) we released some of our first XML-based tools to the market and used XML fuzzing technology against a set of open source XML implementations. The result was that once again, everything broke.
These XML libraries are used in cloud computing services, 3-dimensional programs, and a wide range of business software. RSS feeds, openoffice documents and all types of programs that exchange data, use these libraries. XML libraries are linked both statically and dynamically. XML is coded directly into applications and parsers are implemented directly in application software. Parsers and applications coded in the C language are especially vulnerable, since stack overflow errors in C are not uncommon. There may be millions of applications using XML and XML parsers.
The XML flaws can be attacked both locally and remotely. Malformed network requests could cause application to go into loop and become unavailable. When remote communication is involved remote exploits are possible. Social networking sites and nearly all interactive web sites use some type of XML. Malicious code can be embedded inside documents, web sites or even data streams.
Nearly every sector of the economy is effected by this flaw. Banking, Manufacturing, Retail, Health Care, Government, Electric/Gas/Water Network Companies all use XML for data interchange and communication.
Sun Microsystems, Apache Software Foundation and Python Software Foundation have all announced patches and fixes for found vulnerabilities in their software.
We cannot discuss the security of commercial XML products or library versions within the CROSS project, as the project is intended to benefit the open source community only.