And now, from that fun-loving Finnish gang that discovered the ASN.1 network
standard vulnerabilities in 2001 – critical flaws in XML.
Researchers at Codenomicon in Oulu, Finland, have found critical flaws in open-source implementations of Extensible Markup Language (XML) that affect a huge array of applications used by nearly every sector of the computer-using population of planet Earth.
Ari Takanen, Codenomicon CTO, has said that the vulnerabilities are in every open-source XML library and a lot of them could let the dark side write exploits that could launch denial-of-service attacks or execute malicious code.
Applications affected include anything written with Java, Python or Apache Xerces.
Libraries built on C – and most are Takanen said – are a high risk. Exploits against those are significant since they can execute code.
Codenomicon briefed the Finnish Computer Emergency Readiness Team, which is contacting software publishers who have embedded the libraries in their products.
The principals of Codenomicon discovered vulnerabilities in the ASN.1 network standard in 2001 that many companies (and governments) struggled to fix for months.
The vulnerabilities can be used in exploits and victims could be social engineered into opening malicious XML files or sending malicious requests to Web services that depend on XML.
It is suggested that organizations keep aware of security updates from companies that provide the libraries they use.
According to the Codenomicon web site: “Founded in 2001, the company was spun out of the successful PROTOS test tools research of the Oulu University Secure Programming Group.
See story in Register.
Tom Kelchner