New discoveries of XML vulnerabilities which may cause denial-of-service attacks and execution of malicious codes in infected PCs to be released at Hacker Halted USA 2009 conference in Miami, Florida

Codenomicon Ltd, a leading vendor of software security testing solutions and Silver Sponsor for Hacker Halted USA 2009, announced today that it has helped fix multiple critical flaws in popular XML libraries, including implementations from Sun Microsystems, Apache Software Foundation, and Python.

Codenomicon discovered the vulnerabilities in early 2009 as part of the development of a new product for XML testing. When XML libraries were subjected to tests, multiple vulnerabilities were quickly identified in parsing XML data. The vulnerabilities could be exploited by enticing a user to open a specifically crafted XML file, or by submitting malicious requests to web services that handle XML content. The impact of the discovered vulnerabilities varies from denial-of-service attacks to potential execution of malicious code on affected systems. After the vulnerabilities had been found, Codenomicon worked together with CERT-FI (Finnish National Computer Emergency Response Team) to coordinate the remediation of the found issues with the affected vendors. In addition to Sun, Apache, and Python, a few other projects are expected to announce their fixes at a later time.

“XML implementations are ubiquitous – they are found in systems and services where one would not expect to find them”, says Erka Koivunen, Head of CERT-FI. “For us it is crucial that end users and organizations who use the affected libraries upgrade to the new versions. This announcement is just the beginning of a long remediation process that ends only when the patches have been deployed to production systems”, Koivunen continues.

These discoveries, along with the launch of its new testing solution, DEFENSICS for XML, will be released at the upcoming Hacker Halted USA 2009 conference in Miami, Florida. Ari Takanen, Founder and CTO of Codenomicon Ltd, will be presenting at the conference.