Enterprises are vulnerable to the growing number of threats in XML libraries, a security analyst has warned.
"Hackers are moving up the stack to the application level," said Neil MacDonald, a vice president at research firm Gartner. XML-based attacks can be expected to be "the next big thing for hackers," he added.
His comments came after security test toolmaker Codenomicon and the Finnish Computer Emergency Response Team (CERT-FI) disclosed security risks in XML libraries that could result in successful denial-of-service attacks on applications built with them.
A wide variety of applications have implemented the vulnerable XML libraries, which include those from Python Software Foundation, Sun Microsystems and Apache Software Foundation. Developers are being advised to follow instructions for remediation from vendors to prevent the exploits detailed by CERT-FI and Codenomicon.
"The effects of the vulnerabilities include denial-of-service and potentially code execution," the CERT-FI advisory said. "The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting it to a server that handles XML content."
The vulnerabilities relate to the parsing of XML elements with "unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely," the advisory notes.
Some updates for remediation are available, and CERT-FI is providing information about that. But as of early today, an update for Python was not yet available. "We are working on it," reads a simple statement available through CERT-FI.
MacDonald said Codenomicon has been researching XML-related flaws for some time, and the issue isn't wholly new. The bigger issue is that many developers have implemented open-source XML libraries in custom and commercial applications, and over the years, people may be unaware what has been used in an application, he added.
"Use of these libraries is pervasive," MacDonald said. But people don't always keep track of the open-source third-party libraries they're using, and a developer may have moved on to another project without recording that detail. "It becomes hard because you don't even know what applications are vulnerable."