Major security holes in popular XML libraries

A security research outfit has issued a warning for several critical vulnerabilities in popular XML libraries used by a wide range of software vendors.The flaws, discovered earlier this year by Codenomicon, affect a wide range of technology products, including servers and server applications, workstations and end user applications, network devices,  embedded systems and mobile devices.

A security research outfit has issued a warning for several critical vulnerabilities in popular XML libraries used by a wide range of software vendors.

The flaws, discovered earlier this year by Codenomicon, affect a wide range of technology products, including servers and server applications, workstations and end user applications, network devices,  embedded systems and mobile devices. Vendors affected include Sun Microsystems, the Apache Software Foundation and Python.

Here's the skinny from Finland's Computer Emergency Response Team (CERT-FI):

The vulnerabilities are related to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely. The effects of the vulnerabilities include denial of service and potentially code execution. The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting it to a server that handles XML content.

The vulnerabilities can be triggered remotely and, in some cases (Python), remain unpatched.

* Image source: http://www.ibridge.be.