Major security holes in popular XML libraries
Summary: A security research outfit has issued a warning for several critical vulnerabilities in popular XML libraries used by a wide range of software vendors.The flaws, discovered earlier this year by Codenomicon, affect a wide range of technology products, including servers and server applications, workstations and end user applications, network devices, embedded systems and mobile devices.
A security research outfit has issued a warning for several critical vulnerabilities in popular XML libraries used by a wide range of software vendors.
The flaws, discovered earlier this year by Codenomicon, affect a wide range of technology products, including servers and server applications, workstations and end user applications, network devices, embedded systems and mobile devices. Vendors affected include Sun Microsystems, the Apache Software Foundation and Python.
Here's the skinny from Finland's Computer Emergency Response Team (CERT-FI):
The vulnerabilities are related to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely. The effects of the vulnerabilities include denial of service and potentially code execution. The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting it to a server that handles XML content.
The vulnerabilities can be triggered remotely and, in some cases (Python), remain unpatched.
* Image source: http://www.ibridge.be.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
Open Source Secure
Superior peer-reviewed software
Repeat after me, software written in mom's basement might be free, but that's it's only virtue.
Machine code
LMAO
No, what's really sad
RE: No, what's really sad
Sounds pretty real to me.
OMG. Sandbox I said!
Litterbox is a better term i think :)
Agreed, sandbox!
However, vulnerabilities happens in all software, commercial or open source. It really has very little to do with the development model and everything to do with the QA policies in place. Cue Microsofts SDL which is now widely regarded as a state-of-the-art security-oriented development model.
But as vulnerabilities WILL happen we need defense in-depth.
If you are running Linux then use Apparmor. Spend some time tweaking those profiles.
If you are running Windows Vista / 7 <i>leave UAC switched on</i> as disabling UAC will ALSO disable the IE7/8 sandbox. Consider using Chrome which has a better security track record and ALSO has a sandbox,
If you are running OSX, well, there's really not much you can do. While OSX does have "some" sandbox capability, it is flawed, ineffective and not even enabled for the apps where it makes the most sense.
Regardless of operating system, uninstall features/applications (especially Java versions) you don't use.
Regardless of operating system, keep your system up-to-date.
if only
You're probably intelligent people, possibly professionals. How about acting like it?
Probability
So on top of the rabid geek/lifestyle majority you also have ZDNet paying the bloggers by the amount of posts they attract. This of course leads to plenty of troll blogs (that can be characterised by a "Windows Sux" headline) to attract as many intemperate posts as possible.
So if you are looking for intelligent professional discussion, you won't find it here ;-)
Ubuntu released 4 patches for XML today
RE: Major security holes in popular XML libraries
<a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>