XML Library Flaw — Sun, Apache, GNOME Affected 140
bednarz writes with this excerpt from Network World:
"Vulnerabilities discovered in XML libraries from Sun, the Apache Software Foundation, the Python Software Foundation and the GNOME Project could result in successful denial-of-service attacks on applications built with them, according to Codenomicon. The security vendor found flaws in XML parsers that made it fairly easy to cause a DoS attack, corruption of data, and delivery of a malicious payload using XML-based content. Codenomicon has shared its findings with industry and the open source groups, and a number of recommendations and patches for the XML-related vulnerabilities are expected to be made available Wednesday. In addition, a general security advisory is expected to be published by the Computer Emergency Response Team in Finland (CERT-FI)."
Re:Open source (Score:3, Interesting)
You'll probably getted tagged 'troll' for that, but I'll bite.
It's not that open source is not susceptible to these things (all software is). But with open source, these things are usually found more quickly, and are generally patched/fixed more quickly. I don't have statistics to support a statement that critical errors like this happen less often with open source, but I would have no trouble believing that.
Open source is usually more transparent about the problem, too. Many closed source vendors hide these things, so you never know you're vulnerable and thus can't adjust for it.
Re:Why is Python excluded from Title? (Score:3, Interesting)
Also, the linked article and the news on the Codenomicon website don't mention GNOME.
Re:ASCII Delimited Security Issues (Score:3, Interesting)
Refusing to handle invalid input isn't denial of service. Also, I haven't seen any XML parser that would give you a null pointer/reference exception on invalid input. In fact, all that I've used will give the exact line/column number at which error happened.
XML... (Score:2, Interesting)
See signature.
random gibberish to make lameness filter happy.
Re:XML... (Score:3, Interesting)
I would if the slashdot UI would have a link or button on the page to view the signature of individual messages.
Someone just rediscovered XML Entity Attacks (Score:4, Interesting)
It's difficult to say from the information provided, but it sounds like someone just rediscovered XML entity attacks (as I did a few years ago). Assuming it is the same thing, here are some references from 2002 and 2006 with more details:
http://www.securiteam.com/securitynews/6D0100A5PU.html [securiteam.com]
http://www.sift.com.au/assets/downloads/SIFT-XML-Port-Scanning-v1-00.pdf [sift.com.au]
I've used these attacks in real-world tests and they are still surprisingly effective - just not new.