Code Red for XML open source

Code Red for XML open source

Summary: Codenomicon said it found the issues early this year while developing a product for XML testing, and has already been working with Finland's CERT-FI on remediation.

SHARE:

In a sign of things to come, Codenomicon has issued an alert against "multiple critical security issues in XML libraries," which include libraries from Sun, Apache, Python and GNOME.

Codenomicon said it found the issues early this year while developing a product for XML testing, and has already been working with Finland's CERT-FI on remediation.

Recommendations and patches are already going out. (I first found this cute little guy in 2004, while I was blogging for Corante. A now extinct firm called Irenecrafts was offering instructions on making them.)

Both ZDNet's UK security team and our own Joe McKendrick have been putting out the word, but it's also important to note where we are in terms of Bruce Schneier's famous "window of exposure" chart, first published in the year 2000.

The announcement of a vulnerability is a virus's second level of fame. You know, who's virus, get me virus, get me something like virus, get me young virus, and who's virus. An announcement alerts virus writers to a vulnerability, and exploits follow, meaning the risk to users immediately starts jumping.

The peak moment of risk comes when a vendor discloses a patch, but it does not start declining until after users install the patch.

All this means that we are now entering the key window of vulnerability to this problem, and that window closes only after all your XML libraries have been updated.

If you own any of the following libraries you need to be alert and ready to patch:

  • Python libexpat
  • Apache Xerces
  • Sun JDK and JRE 6 Update 14 and earlier
  • Sun JDK and JRE 5.0 Update 19 and earlier.

Not only will servers and PCs be vulnerable until patches are installed, but so will embedded systems and mobile devices.

Sun says it has patched JRE 6 Update 15 and JRE 5 Update 19 but warns it has no workaround for earlier versions, so this may be around a while. Xerces got out a patch in June and one is in process for Python.

Topics: Open Source, Security, Software Development

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

4 comments
Log in or register to join the discussion
  • Open source is secure = Bullshit lies

    Despite the eyes of millions of altruistic losers, horrific security are streaming through every day. Or maybe all the losers are so focused on developing another replacement desktop, that they don't have time for security. Or most likely, they're visting their hero Reiser in prison. Clueless dopes, keep doing volunteer work for billion dollar corporations, they really do appreciate free labor.
    jackbond
    • wow what a intelligent post my god help us

      full of proof no insult what so ever ....
      a masterpiece of clarity and more

      you must be a member of mensa or or your own
      group (redneck for a better tomorow dug in mud
      )

      Please keep inlighting us sir.. Us few ,happy
      few .


      Once again we have a clear reprensentation of
      high brain power

      Sir i salute you and your intelligence
      have a glass of moonshine

      Quebec-french
    • Open source is secure = ******** lies

      Abraham Lincoln once said,"Sometimes it is better to remain silent and have people think you a fool, than to speak and remove any doubt."
      ator1940
  • RE: Code Red for XML open source

    Not only will servers and PCs be vulnerable until patches are installed, but so will embedded systems and mobile devices.<a href="http://tnxinvitationcode.wordpress.com/"><font color="white"> code</font></a>
    zakkiromi