www. S D Linux.com » XML

SCAP: computer security for the rest of us.

pacneil — Tue, 12 Oct 2010 17:33:47 +0000

by Gunnar Hellekson

I’m setting up a new computer. I get through the registration screens, install my software, change my wallpaper, and everything’s working fine. I’m left, though, with a lingering, uneasy feeling: I don’t know if this machine is secure. I’m a computer guy, so I know how to set up strong passwords and firewalls, but I’m still not sure if I’ve done everything right. I turn to my vendor, who has hopefully published a hardening guide. If I’m very enthusiastic, I might even follow the NSA’s Security and Network Analysis Center Guides. If I do any of these things, I’m already being more diligent that 95% of users out there. And that’s a problem.

Personal responsibility and its sworn enemy, “I have something better to do.”

XML Flaws disclosed

pacneil — Fri, 07 Aug 2009 20:04:39 +0000

One of the core components of interactive web services was found to have serious programming flaws. An exploit of these flaws has the potential for anything from denial of service to sending of malicious documents to seize control of users computers. XML is used in all types of web services, including banking, desktop programs and cloud computing applications. Extensible Markup Language is the markup system that allows applications to exchange data.

Researchers at Codenomicon Ltd., a security testing company from Oulu, Finland, say they found multiple critical flaws in XML libraries, code that is used and re-used to process XML data. They used CROSS, or Codenomicon Robust Open Source Software, to test libraries failure modes. By inputting manipulated data into XML libraries Codnomicon tested their ability to contend with corrupted data. The results were disconcerting.

The Codenomicon researches said:

Early this year (2009) we released some of our first XML-based tools to the market and used XML fuzzing technology against a set of open source XML implementations. The result was that once again, everything broke.

These XML libraries are used in cloud computing services, 3-dimensional programs, and a wide range of business software. RSS feeds, openoffice documents and all types of programs that exchange data, use these libraries. XML libraries are linked both statically and dynamically. XML is coded directly into applications and parsers are implemented directly in application software. Parsers and applications coded in the C language are especially vulnerable, since stack overflow errors in C are not uncommon. There may be millions of applications using XML and XML parsers.

The XML flaws can be attacked both locally and remotely. Malformed network requests could cause application to go into loop and become unavailable. When remote communication is involved remote exploits are possible. Social networking sites and nearly all interactive web sites use some type of XML. Malicious code can be embedded inside documents, web sites or even data streams.

Nearly every sector of the economy is effected by this flaw. Banking, Manufacturing, Retail, Health Care, Government, Electric/Gas/Water Network Companies all use XML for data interchange and communication.

Sun Microsystems, Apache Software Foundation and Python Software Foundation have all announced patches and fixes for found vulnerabilities in their software.

Codenomicon said:

We cannot discuss the security of commercial XML products or library versions within the CROSS project, as the project is intended to benefit the open source community only.

Integrate Creative Commons Licensing into your content with ccREL

admin — Thu, 16 Jul 2009 16:35:59 +0000

Summary: With Web 2.0, Cloud, and SOA, it’s more important than ever to have a clear understanding of who owns information and what you are permitted to do with it. The Creative Commons License contains a mechanism for providing more open usage rights without giving up ownership. The Creative Commons (CC) Rights Expression Language (ccREL) allows you to embed this information into Web content so that information owners and information users can clearly see the rights granted and choose accordingly, even through automation. Learn more about these techniques, and see how to use them in your own applications.