X
Tech

Code Red for XML open source

Codenomicon said it found the issues early this year while developing a product for XML testing, and has already been working with Finland's CERT-FI on remediation.
Written by Dana Blankenhorn, Inactive

In a sign of things to come, Codenomicon has issued an alert against "multiple critical security issues in XML libraries," which include libraries from Sun, Apache, Python and GNOME.

Codenomicon said it found the issues early this year while developing a product for XML testing, and has already been working with Finland's CERT-FI on remediation.

Recommendations and patches are already going out. (I first found this cute little guy in 2004, while I was blogging for Corante. A now extinct firm called Irenecrafts was offering instructions on making them.)

Both ZDNet's UK security team and our own Joe McKendrick have been putting out the word, but it's also important to note where we are in terms of Bruce Schneier's famous "window of exposure" chart, first published in the year 2000.

The announcement of a vulnerability is a virus's second level of fame. You know, who's virus, get me virus, get me something like virus, get me young virus, and who's virus. An announcement alerts virus writers to a vulnerability, and exploits follow, meaning the risk to users immediately starts jumping.

The peak moment of risk comes when a vendor discloses a patch, but it does not start declining until after users install the patch.

All this means that we are now entering the key window of vulnerability to this problem, and that window closes only after all your XML libraries have been updated.

If you own any of the following libraries you need to be alert and ready to patch:

  • Python libexpat
  • Apache Xerces
  • Sun JDK and JRE 6 Update 14 and earlier
  • Sun JDK and JRE 5.0 Update 19 and earlier.

Not only will servers and PCs be vulnerable until patches are installed, but so will embedded systems and mobile devices.

Sun says it has patched JRE 6 Update 15 and JRE 5 Update 19 but warns it has no workaround for earlier versions, so this may be around a while. Xerces got out a patch in June and one is in process for Python.

Editorial standards